{
"statistics": {
"processing": [
{
"name": "CAPE",
"time": 4.95
},
{
"name": "AnalysisInfo",
"time": 0.046
},
{
"name": "BehaviorAnalysis",
"time": 0.106
},
{
"name": "Debug",
"time": 0.001
},
{
"name": "NetworkAnalysis",
"time": 0.0
},
{
"name": "Suricata",
"time": 0.0
},
{
"name": "UrlAnalysis",
"time": 0.0
},
{
"name": "script_log_processing",
"time": 0.0
},
{
"name": "ProcessMemory",
"time": 0.0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "stealth_network",
"time": 0.0
},
{
"name": "disable_driver_via_blocklist",
"time": 0.0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0.0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0.0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0.0
},
{
"name": "anomalous_deletefile",
"time": 0.0
},
{
"name": "antiav_360_libs",
"time": 0.0
},
{
"name": "antiav_ahnlab_libs",
"time": 0.0
},
{
"name": "antiav_avast_libs",
"time": 0.0
},
{
"name": "antiav_bitdefender_libs",
"time": 0.0
},
{
"name": "antiav_bullguard_libs",
"time": 0.0
},
{
"name": "antiav_emsisoft_libs",
"time": 0.0
},
{
"name": "antiav_qurb_libs",
"time": 0.0
},
{
"name": "antiav_servicestop",
"time": 0.0
},
{
"name": "antiav_apioverride_libs",
"time": 0.0
},
{
"name": "antidebug_guardpages",
"time": 0.0
},
{
"name": "antiav_nthookengine_libs",
"time": 0.0
},
{
"name": "antidebug_outputdebugstring",
"time": 0.0
},
{
"name": "antidebug_setunhandledexceptionfilter",
"time": 0.0
},
{
"name": "antidebug_windows",
"time": 0.0
},
{
"name": "antisandbox_cuckoo",
"time": 0.0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0.0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0.0
},
{
"name": "mouse_movement_detect",
"time": 0.0
},
{
"name": "antisandbox_sboxie_libs",
"time": 0.0
},
{
"name": "antisandbox_script_timer",
"time": 0.0
},
{
"name": "antisandbox_sleep",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_libs",
"time": 0.0
},
{
"name": "antisandbox_unhook",
"time": 0.0
},
{
"name": "antivm_directory_objects",
"time": 0.0
},
{
"name": "antivm_display",
"time": 0.0
},
{
"name": "antivm_generic_disk",
"time": 0.0
},
{
"name": "antivm_generic_scsi",
"time": 0.0
},
{
"name": "antivm_generic_services",
"time": 0.0
},
{
"name": "antivm_generic_system",
"time": 0.0
},
{
"name": "antivm_checks_available_memory",
"time": 0.0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0.0
},
{
"name": "antivm_vbox_libs",
"time": 0.0
},
{
"name": "antivm_vbox_window",
"time": 0.0
},
{
"name": "antivm_vmware_events",
"time": 0.0
},
{
"name": "antivm_vmware_libs",
"time": 0.0
},
{
"name": "antivm_wmi",
"time": 0.0
},
{
"name": "api_spamming",
"time": 0.0
},
{
"name": "api_uuidfromstringa",
"time": 0.0
},
{
"name": "banker_prinimalka",
"time": 0.0
},
{
"name": "bcdedit_command",
"time": 0.0
},
{
"name": "bootkit",
"time": 0.0
},
{
"name": "direct_hdd_access",
"time": 0.0
},
{
"name": "physical_drive_access",
"time": 0.0
},
{
"name": "potential_overwrite_mbr",
"time": 0.0
},
{
"name": "read_file_raw_disk_access",
"time": 0.0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0.0
},
{
"name": "browser_needed",
"time": 0.0
},
{
"name": "firefox_disables_process_tab",
"time": 0.0
},
{
"name": "regsvr32_squiblydoo_dll_load",
"time": 0.0
},
{
"name": "uac_bypass_cmstp",
"time": 0.0
},
{
"name": "uac_bypass_eventvwr",
"time": 0.0
},
{
"name": "uac_bypass_windows_Backup",
"time": 0.0
},
{
"name": "dotnet_code_compile",
"time": 0.0
},
{
"name": "queries_computer_name",
"time": 0.0
},
{
"name": "queries_user_name",
"time": 0.0
},
{
"name": "creates_largekey",
"time": 0.0
},
{
"name": "creates_nullvalue",
"time": 0.0
},
{
"name": "access_windows_passwords_vault",
"time": 0.0
},
{
"name": "dump_lsa_via_windows_error_reporting",
"time": 0.0
},
{
"name": "lsass_credential_dumping",
"time": 0.0
},
{
"name": "critical_process",
"time": 0.0
},
{
"name": "cryptopool_domains",
"time": 0.0
},
{
"name": "dead_connect",
"time": 0.0
},
{
"name": "dead_link",
"time": 0.0
},
{
"name": "decoy_document",
"time": 0.0
},
{
"name": "decoy_image",
"time": 0.0
},
{
"name": "deletes_consolehost_history",
"time": 0.0
},
{
"name": "dep_bypass",
"time": 0.0
},
{
"name": "dep_disable",
"time": 0.0
},
{
"name": "disables_spdy",
"time": 0.0
},
{
"name": "disables_wfp",
"time": 0.0
},
{
"name": "add_windows_defender_exclusions",
"time": 0.0
},
{
"name": "mountpoints_volume_discovery",
"time": 0.0
},
{
"name": "dll_load_uncommon_file_types",
"time": 0.0
},
{
"name": "document_script_exe_drop",
"time": 0.0
},
{
"name": "guloader_apis",
"time": 0.0
},
{
"name": "driver_load",
"time": 0.0
},
{
"name": "dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypted_ioc",
"time": 0.0
},
{
"name": "exec_crash",
"time": 0.0
},
{
"name": "process_creation_suspicious_location",
"time": 0.0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0.0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0.0
},
{
"name": "exploit_heapspray",
"time": 0.0
},
{
"name": "koadic_apis",
"time": 0.0
},
{
"name": "koadic_network_activity",
"time": 0.0
},
{
"name": "downloads_from_filehosting",
"time": 0.0
},
{
"name": "generic_phish",
"time": 0.0
},
{
"name": "http_request",
"time": 0.0
},
{
"name": "infostealer_browser",
"time": 0.0
},
{
"name": "infostealer_browser_password",
"time": 0.0
},
{
"name": "infostealer_cookies",
"time": 0.0
},
{
"name": "cryptbot_network",
"time": 0.0
},
{
"name": "masslogger_version",
"time": 0.0
},
{
"name": "purplewave_network_activity",
"time": 0.0
},
{
"name": "quilclipper_behavior",
"time": 0.0
},
{
"name": "raccoon_behavior",
"time": 0.0
},
{
"name": "captures_screenshot",
"time": 0.0
},
{
"name": "vidar_behavior",
"time": 0.0
},
{
"name": "injection_createremotethread",
"time": 0.0
},
{
"name": "creates_suspended_process",
"time": 0.0
},
{
"name": "injection_explorer",
"time": 0.0
},
{
"name": "injection_network_traffic",
"time": 0.0
},
{
"name": "injection_runpe",
"time": 0.0
},
{
"name": "injection_rwx",
"time": 0.0
},
{
"name": "injection_themeinitapihook",
"time": 0.0
},
{
"name": "resumethread_remote_process",
"time": 0.0
},
{
"name": "injection_write_exe_process",
"time": 0.0
},
{
"name": "injection_write_process",
"time": 0.0
},
{
"name": "internet_dropper",
"time": 0.0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0.0
},
{
"name": "ipc_namedpipe",
"time": 0.0
},
{
"name": "js_phish",
"time": 0.0
},
{
"name": "js_suspicious_redirect",
"time": 0.0
},
{
"name": "loader_alien",
"time": 0.0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0.0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0.0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0.0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0.0
},
{
"name": "encrypt_pcinfo",
"time": 0.0
},
{
"name": "encrypt_data_agenttesla_http",
"time": 0.0
},
{
"name": "encrypt_data_agentteslat2_http",
"time": 0.0
},
{
"name": "encrypt_data_nanocore",
"time": 0.0
},
{
"name": "reads_memory_remote_process",
"time": 0.0
},
{
"name": "mimics_filetime",
"time": 0.0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0.0
},
{
"name": "access_auto_logons_via_registry",
"time": 0.0
},
{
"name": "access_boot_key_via_registry",
"time": 0.0
},
{
"name": "create_suspicious_lnk_files",
"time": 0.0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0.0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0.0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0.0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0.0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0.0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0.0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0.0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0.0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0.0
},
{
"name": "load_dll_via_control_panel",
"time": 0.0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0.0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0.0
},
{
"name": "store_executable_registry",
"time": 0.0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0.0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0.0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0.0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0.0
},
{
"name": "modify_desktop_wallpaper",
"time": 0.0
},
{
"name": "modify_zoneid_ads",
"time": 0.0
},
{
"name": "move_file_on_reboot",
"time": 0.0
},
{
"name": "multiple_useragents",
"time": 0.0
},
{
"name": "network_anomaly",
"time": 0.0
},
{
"name": "network_bind",
"time": 0.0
},
{
"name": "network_cnc_https_archive",
"time": 0.0
},
{
"name": "network_cnc_https_free_webhosting",
"time": 0.0
},
{
"name": "network_cnc_https_generic",
"time": 0.0
},
{
"name": "network_cnc_https_interactsh",
"time": 0.0
},
{
"name": "network_cnc_https_opensource",
"time": 0.0
},
{
"name": "network_cnc_https_pastesite",
"time": 0.0
},
{
"name": "network_cnc_https_payload",
"time": 0.0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0.0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0.0
},
{
"name": "network_cnc_https_telegram",
"time": 0.0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0.0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0.0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0.0
},
{
"name": "network_cnc_https_useragent",
"time": 0.0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0.0
},
{
"name": "network_cnc_smtps_generic",
"time": 0.0
},
{
"name": "network_dns_idn",
"time": 0.0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0.0
},
{
"name": "network_dns_tunneling_request",
"time": 0.0
},
{
"name": "network_document_http",
"time": 0.0
},
{
"name": "explorer_http",
"time": 0.0
},
{
"name": "network_fake_useragent",
"time": 0.0
},
{
"name": "legitimate_domain_abuse",
"time": 0.0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0.0
},
{
"name": "network_tor",
"time": 0.0
},
{
"name": "office_com_load",
"time": 0.0
},
{
"name": "office_dotnet_load",
"time": 0.0
},
{
"name": "office_mshtml_load",
"time": 0.0
},
{
"name": "office_vb_load",
"time": 0.0
},
{
"name": "office_wmi_load",
"time": 0.0
},
{
"name": "office_cve2017_11882",
"time": 0.0
},
{
"name": "office_cve2017_11882_network",
"time": 0.0
},
{
"name": "office_cve_2021_40444",
"time": 0.0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0.0
},
{
"name": "office_flash_load",
"time": 0.0
},
{
"name": "office_postscript",
"time": 0.0
},
{
"name": "office_suspicious_processes",
"time": 0.0
},
{
"name": "office_write_exe",
"time": 0.0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0.0
},
{
"name": "persistence_autorun",
"time": 0.0
},
{
"name": "persistence_autorun_tasks",
"time": 0.0
},
{
"name": "persistence_bootexecute",
"time": 0.0
},
{
"name": "persistence_registry_script",
"time": 0.0
},
{
"name": "powershell_network_connection",
"time": 0.0
},
{
"name": "powershell_download",
"time": 0.0
},
{
"name": "powershell_request",
"time": 0.0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0.0
},
{
"name": "enumerates_running_processes",
"time": 0.0
},
{
"name": "process_interest",
"time": 0.0
},
{
"name": "process_needed",
"time": 0.0
},
{
"name": "mass_data_encryption",
"time": 0.0
},
{
"name": "ransomware_dmalocker",
"time": 0.0
},
{
"name": "ransomware_file_modifications",
"time": 0.0
},
{
"name": "ransomware_message",
"time": 0.0
},
{
"name": "nemty_network_activity",
"time": 0.0
},
{
"name": "nemty_note",
"time": 0.0
},
{
"name": "sodinokibi_behavior",
"time": 0.0
},
{
"name": "stop_ransomware_registry",
"time": 0.0
},
{
"name": "blackrat_apis",
"time": 0.0
},
{
"name": "blackrat_network_activity",
"time": 0.0
},
{
"name": "blackrat_registry_keys",
"time": 0.0
},
{
"name": "dcrat_behavior",
"time": 0.0
},
{
"name": "karagany_system_event_objects",
"time": 0.0
},
{
"name": "rat_luminosity",
"time": 0.0
},
{
"name": "rat_nanocore",
"time": 0.0
},
{
"name": "netwire_behavior",
"time": 0.0
},
{
"name": "obliquerat_network_activity",
"time": 0.0
},
{
"name": "orcusrat_behavior",
"time": 0.0
},
{
"name": "trochilusrat_apis",
"time": 0.0
},
{
"name": "reads_self",
"time": 0.0
},
{
"name": "recon_beacon",
"time": 0.0
},
{
"name": "recon_programs",
"time": 0.0
},
{
"name": "recon_systeminfo",
"time": 0.0
},
{
"name": "accesses_recyclebin",
"time": 0.0
},
{
"name": "remcos_shell_code_dynamic_wrapper_x",
"time": 0.0
},
{
"name": "script_created_process",
"time": 0.0
},
{
"name": "script_network_activity",
"time": 0.0
},
{
"name": "suspicious_js_script",
"time": 0.0
},
{
"name": "javascript_timer",
"time": 0.0
},
{
"name": "secure_login_phishing",
"time": 0.0
},
{
"name": "securityxploded_modules",
"time": 0.0
},
{
"name": "get_clipboard_data",
"time": 0.0
},
{
"name": "sets_autoconfig_url",
"time": 0.0
},
{
"name": "spoofs_procname",
"time": 0.0
},
{
"name": "stack_pivot",
"time": 0.0
},
{
"name": "stack_pivot_file_created",
"time": 0.0
},
{
"name": "stack_pivot_process_create",
"time": 0.0
},
{
"name": "set_clipboard_data",
"time": 0.0
},
{
"name": "stealth_childproc",
"time": 0.0
},
{
"name": "stealth_file",
"time": 0.0
},
{
"name": "stealth_timeout",
"time": 0.0
},
{
"name": "stealth_window",
"time": 0.0
},
{
"name": "queries_keyboard_layout",
"time": 0.0
},
{
"name": "queries_locale_api",
"time": 0.0
},
{
"name": "terminates_remote_process",
"time": 0.0
},
{
"name": "uiautomationcore_load",
"time": 0.0
},
{
"name": "user_enum",
"time": 0.0
},
{
"name": "mmc_dll_script_load",
"time": 0.0
},
{
"name": "mmc_dotnet_load",
"time": 0.0
},
{
"name": "virus",
"time": 0.0
},
{
"name": "neshta_files",
"time": 0.0
},
{
"name": "neshta_regkeys",
"time": 0.0
},
{
"name": "webmail_phish",
"time": 0.0
},
{
"name": "persists_dev_util",
"time": 0.0
},
{
"name": "spawns_dev_util",
"time": 0.0
},
{
"name": "alters_windows_utility",
"time": 0.0
},
{
"name": "overwrites_accessibility_utility",
"time": 0.0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0.0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0.0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0.0
},
{
"name": "wiper_zeroedbytes",
"time": 0.0
},
{
"name": "wmi_create_process",
"time": 0.0
},
{
"name": "wmi_script_process",
"time": 0.0
},
{
"name": "antianalysis_tls_section",
"time": 0.0
},
{
"name": "antivirus_clamav",
"time": 0.0
},
{
"name": "antivirus_virustotal",
"time": 0.0
},
{
"name": "bad_certs",
"time": 0.0
},
{
"name": "bad_ssl_certs",
"time": 0.0
},
{
"name": "banker_zeus_p2p",
"time": 0.0
},
{
"name": "banker_zeus_url",
"time": 0.0
},
{
"name": "binary_yara",
"time": 0.0
},
{
"name": "bot_athenahttp",
"time": 0.0
},
{
"name": "bot_dirtjumper",
"time": 0.0
},
{
"name": "bot_drive",
"time": 0.0
},
{
"name": "bot_drive2",
"time": 0.0
},
{
"name": "bot_madness",
"time": 0.0
},
{
"name": "phishing_kit_detected",
"time": 0.0
},
{
"name": "family_proxyback",
"time": 0.0
},
{
"name": "flare_capa_antianalysis",
"time": 0.0
},
{
"name": "flare_capa_collection",
"time": 0.0
},
{
"name": "flare_capa_communication",
"time": 0.0
},
{
"name": "flare_capa_compiler",
"time": 0.0
},
{
"name": "flare_capa_datamanipulation",
"time": 0.0
},
{
"name": "flare_capa_executable",
"time": 0.0
},
{
"name": "flare_capa_hostinteraction",
"time": 0.0
},
{
"name": "flare_capa_impact",
"time": 0.0
},
{
"name": "flare_capa_lib",
"time": 0.0
},
{
"name": "flare_capa_linking",
"time": 0.0
},
{
"name": "flare_capa_loadcode",
"time": 0.0
},
{
"name": "flare_capa_malwarefamily",
"time": 0.0
},
{
"name": "flare_capa_nursery",
"time": 0.0
},
{
"name": "flare_capa_persistence",
"time": 0.0
},
{
"name": "flare_capa_runtime",
"time": 0.0
},
{
"name": "flare_capa_targeting",
"time": 0.0
},
{
"name": "threatfox",
"time": 0.0
},
{
"name": "log4shell",
"time": 0.0
},
{
"name": "mimics_extension",
"time": 0.0
},
{
"name": "network_country_distribution",
"time": 0.0
},
{
"name": "network_cnc_http",
"time": 0.0
},
{
"name": "network_ip_exe",
"time": 0.0
},
{
"name": "network_dga",
"time": 0.0
},
{
"name": "network_dga_fraunhofer",
"time": 0.0
},
{
"name": "network_dyndns",
"time": 0.0
},
{
"name": "network_excessive_udp",
"time": 0.0
},
{
"name": "network_http",
"time": 0.0
},
{
"name": "network_icmp",
"time": 0.0
},
{
"name": "network_irc",
"time": 0.0
},
{
"name": "network_open_proxy",
"time": 0.0
},
{
"name": "network_questionable_http_path",
"time": 0.0
},
{
"name": "network_questionable_https_path",
"time": 0.0
},
{
"name": "network_smtp",
"time": 0.0
},
{
"name": "network_torgateway",
"time": 0.0
},
{
"name": "origin_langid",
"time": 0.0
},
{
"name": "origin_resource_langid",
"time": 0.0
},
{
"name": "overlay",
"time": 0.0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0.0
},
{
"name": "packer_aspack",
"time": 0.0
},
{
"name": "packer_aspirecrypt",
"time": 0.0
},
{
"name": "packer_bedsprotector",
"time": 0.0
},
{
"name": "packer_confuser",
"time": 0.0
},
{
"name": "packer_enigma",
"time": 0.0
},
{
"name": "packer_entropy",
"time": 0.0
},
{
"name": "packer_mpress",
"time": 0.0
},
{
"name": "packer_nate",
"time": 0.0
},
{
"name": "packer_nspack",
"time": 0.0
},
{
"name": "packer_smartassembly",
"time": 0.0
},
{
"name": "packer_spices",
"time": 0.0
},
{
"name": "packer_themida",
"time": 0.0
},
{
"name": "packer_titan",
"time": 0.0
},
{
"name": "packer_upx",
"time": 0.0
},
{
"name": "packer_vmprotect",
"time": 0.0
},
{
"name": "packer_yoda",
"time": 0.0
},
{
"name": "pdf_annot_urls_checker",
"time": 0.0
},
{
"name": "polymorphic",
"time": 0.0
},
{
"name": "punch_plus_plus_pcres",
"time": 0.0
},
{
"name": "procmem_yara",
"time": 0.0
},
{
"name": "recon_checkip",
"time": 0.0
},
{
"name": "static_authenticode",
"time": 0.0
},
{
"name": "invalid_authenticode_signature",
"time": 0.0
},
{
"name": "static_dotnet_anomaly",
"time": 0.0
},
{
"name": "static_java",
"time": 0.0
},
{
"name": "static_pdf",
"time": 0.0
},
{
"name": "contains_pe_overlay",
"time": 0.0
},
{
"name": "static_pe_anomaly",
"time": 0.0
},
{
"name": "pe_compile_timestomping",
"time": 0.0
},
{
"name": "static_pe_pdbpath",
"time": 0.0
},
{
"name": "static_rat_config",
"time": 0.0
},
{
"name": "static_versioninfo_anomaly",
"time": 0.0
},
{
"name": "suricata_alert",
"time": 0.0
},
{
"name": "suspicious_html_body",
"time": 0.0
},
{
"name": "suspicious_html_name",
"time": 0.0
},
{
"name": "suspicious_html_title",
"time": 0.0
},
{
"name": "volatility_devicetree_1",
"time": 0.0
},
{
"name": "volatility_handles_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_1",
"time": 0.0
},
{
"name": "volatility_ldrmodules_2",
"time": 0.0
},
{
"name": "volatility_malfind_1",
"time": 0.0
},
{
"name": "volatility_malfind_2",
"time": 0.0
},
{
"name": "volatility_modscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_1",
"time": 0.0
},
{
"name": "volatility_svcscan_2",
"time": 0.0
},
{
"name": "volatility_svcscan_3",
"time": 0.0
},
{
"name": "whois_create",
"time": 0.0
},
{
"name": "accesses_mailslot",
"time": 0.0
},
{
"name": "accesses_netlogon_regkey",
"time": 0.0
},
{
"name": "accesses_public_folder",
"time": 0.0
},
{
"name": "accesses_sysvol",
"time": 0.0
},
{
"name": "writes_sysvol",
"time": 0.0
},
{
"name": "adds_admin_user",
"time": 0.0
},
{
"name": "adds_user",
"time": 0.0
},
{
"name": "overwrites_admin_password",
"time": 0.0
},
{
"name": "antianalysis_detectfile",
"time": 0.004
},
{
"name": "antianalysis_detectreg",
"time": 0.011
},
{
"name": "modify_attachment_manager",
"time": 0.0
},
{
"name": "antiav_detectfile",
"time": 0.007
},
{
"name": "antiav_detectreg",
"time": 0.05
},
{
"name": "antiav_srp",
"time": 0.0
},
{
"name": "antiav_whitespace",
"time": 0.0
},
{
"name": "antidebug_devices",
"time": 0.001
},
{
"name": "antiemu_windefend",
"time": 0.0
},
{
"name": "antiemu_wine_reg",
"time": 0.0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0.0
},
{
"name": "antisandbox_fortinet_files",
"time": 0.0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0.0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0.0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0.0
},
{
"name": "antisandbox_threattrack_files",
"time": 0.0
},
{
"name": "antivm_bochs_keys",
"time": 0.001
},
{
"name": "antivm_generic_bios",
"time": 0.001
},
{
"name": "antivm_generic_diskreg",
"time": 0.002
},
{
"name": "antivm_hyperv_keys",
"time": 0.001
},
{
"name": "antivm_parallels_keys",
"time": 0.003
},
{
"name": "antivm_recentdocs",
"time": 0.0
},
{
"name": "antivm_vbox_devices",
"time": 0.001
},
{
"name": "antivm_vbox_files",
"time": 0.003
},
{
"name": "antivm_vbox_keys",
"time": 0.006
},
{
"name": "antivm_vmware_devices",
"time": 0.0
},
{
"name": "antivm_vmware_files",
"time": 0.001
},
{
"name": "antivm_vmware_keys",
"time": 0.004
},
{
"name": "antivm_vmware_mutexes",
"time": 0.0
},
{
"name": "antivm_vpc_files",
"time": 0.0
},
{
"name": "antivm_vpc_keys",
"time": 0.002
},
{
"name": "antivm_vpc_mutex",
"time": 0.0
},
{
"name": "antivm_xen_keys",
"time": 0.003
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "gulpix_behavior",
"time": 0.0
},
{
"name": "ketrican_regkeys",
"time": 0.001
},
{
"name": "okrum_mutexes",
"time": 0.0
},
{
"name": "banker_cridex",
"time": 0.0
},
{
"name": "geodo_banking_trojan",
"time": 0.002
},
{
"name": "banker_spyeye_mutexes",
"time": 0.0
},
{
"name": "banker_zeus_mutex",
"time": 0.001
},
{
"name": "bitcoin_opencl",
"time": 0.0
},
{
"name": "enumerates_physical_drives",
"time": 0.0
},
{
"name": "bot_russkill",
"time": 0.0
},
{
"name": "browser_addon",
"time": 0.0
},
{
"name": "chromium_browser_extension_directory",
"time": 0.0
},
{
"name": "browser_helper_object",
"time": 0.0
},
{
"name": "browser_security",
"time": 0.002
},
{
"name": "browser_startpage",
"time": 0.0
},
{
"name": "ie_disables_process_tab",
"time": 0.0
},
{
"name": "odbcconf_bypass",
"time": 0.0
},
{
"name": "squiblydoo_bypass",
"time": 0.0
},
{
"name": "squiblytwo_bypass",
"time": 0.0
},
{
"name": "bypass_chromium_protection",
"time": 0.0
},
{
"name": "bypass_firewall",
"time": 0.001
},
{
"name": "checks_uac_status",
"time": 0.0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0.0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0.0
},
{
"name": "uac_bypass_fodhelper",
"time": 0.0
},
{
"name": "cape_extracted_content",
"time": 0.0
},
{
"name": "carberp_mutex",
"time": 0.0
},
{
"name": "clears_logs",
"time": 0.0
},
{
"name": "cmdline_obfuscation",
"time": 0.0
},
{
"name": "cmdline_switches",
"time": 0.0
},
{
"name": "cmdline_terminate",
"time": 0.0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0.0
},
{
"name": "cmdline_http_link",
"time": 0.0
},
{
"name": "cmdline_long_string",
"time": 0.0
},
{
"name": "cmdline_reversed_http_link",
"time": 0.0
},
{
"name": "long_commandline",
"time": 0.0
},
{
"name": "powershell_renamed_commandline",
"time": 0.0
},
{
"name": "copies_self",
"time": 0.0
},
{
"name": "credwiz_credentialaccess",
"time": 0.0
},
{
"name": "enables_wdigest",
"time": 0.0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0.0
},
{
"name": "file_credential_store_access",
"time": 0.001
},
{
"name": "file_credential_store_write",
"time": 0.0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0.0
},
{
"name": "registry_credential_dumping",
"time": 0.0
},
{
"name": "registry_credential_store_access",
"time": 0.001
},
{
"name": "registry_lsa_secrets_access",
"time": 0.0
},
{
"name": "comsvcs_credentialdump",
"time": 0.0
},
{
"name": "cryptomining_stratum_command",
"time": 0.0
},
{
"name": "cypherit_mutexes",
"time": 0.0
},
{
"name": "darkcomet_regkeys",
"time": 0.001
},
{
"name": "datop_loader",
"time": 0.0
},
{
"name": "deepfreeze_mutex",
"time": 0.0
},
{
"name": "deletes_executed_files",
"time": 0.0
},
{
"name": "disables_app_launch",
"time": 0.0
},
{
"name": "disables_auto_app_termination",
"time": 0.0
},
{
"name": "disables_appv_virtualization",
"time": 0.0
},
{
"name": "disables_backups",
"time": 0.002
},
{
"name": "disables_browser_warn",
"time": 0.001
},
{
"name": "disables_context_menus",
"time": 0.0
},
{
"name": "disables_cpl_disable",
"time": 0.0
},
{
"name": "disables_crashdumps",
"time": 0.0
},
{
"name": "disables_event_logging",
"time": 0.0
},
{
"name": "disables_folder_options",
"time": 0.0
},
{
"name": "disables_notificationcenter",
"time": 0.0
},
{
"name": "disables_power_options",
"time": 0.001
},
{
"name": "disables_restore_default_state",
"time": 0.0
},
{
"name": "disables_run_command",
"time": 0.0
},
{
"name": "disables_smartscreen",
"time": 0.0
},
{
"name": "disables_startmenu_search",
"time": 0.001
},
{
"name": "disables_system_restore",
"time": 0.0
},
{
"name": "disables_uac",
"time": 0.0
},
{
"name": "disables_wer",
"time": 0.0
},
{
"name": "disables_windows_defender",
"time": 0.0
},
{
"name": "disables_windows_defender_logging",
"time": 0.0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0.0
},
{
"name": "removes_windows_defender_updates",
"time": 0.0
},
{
"name": "windows_defender_powershell",
"time": 0.0
},
{
"name": "disables_windows_file_protection",
"time": 0.0
},
{
"name": "disables_windowsupdate",
"time": 0.0
},
{
"name": "disables_winfirewall",
"time": 0.0
},
{
"name": "discover_registry_mount_points",
"time": 0.0
},
{
"name": "adfind_domain_enumeration",
"time": 0.0
},
{
"name": "domain_enumeration_commands",
"time": 0.0
},
{
"name": "andromut_mutexes",
"time": 0.0
},
{
"name": "downloader_cabby",
"time": 0.0
},
{
"name": "phorpiex_mutexes",
"time": 0.0
},
{
"name": "protonbot_mutexes",
"time": 0.0
},
{
"name": "driver_filtermanager",
"time": 0.0
},
{
"name": "dropper",
"time": 0.0
},
{
"name": "dll_archive_execution",
"time": 0.0
},
{
"name": "lnk_archive_execution",
"time": 0.0
},
{
"name": "script_archive_execution",
"time": 0.0
},
{
"name": "excel4_macro_urls",
"time": 0.0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0.0
},
{
"name": "spooler_access",
"time": 0.0
},
{
"name": "spooler_svc_start",
"time": 0.0
},
{
"name": "mapped_drives_uac",
"time": 0.0
},
{
"name": "hides_recycle_bin_icon",
"time": 0.0
},
{
"name": "apocalypse_stealer_file_behavior",
"time": 0.0
},
{
"name": "arkei_files",
"time": 0.0
},
{
"name": "azorult_mutexes",
"time": 0.001
},
{
"name": "infostealer_bitcoin",
"time": 0.004
},
{
"name": "cryptbot_files",
"time": 0.001
},
{
"name": "echelon_files",
"time": 0.001
},
{
"name": "infostealer_ftp",
"time": 0.019
},
{
"name": "infostealer_im",
"time": 0.011
},
{
"name": "infostealer_mail",
"time": 0.005
},
{
"name": "masslogger_files",
"time": 0.0
},
{
"name": "poullight_files",
"time": 0.002
},
{
"name": "purplewave_mutexes",
"time": 0.0
},
{
"name": "quilclipper_mutexes",
"time": 0.0
},
{
"name": "qulab_files",
"time": 0.001
},
{
"name": "qulab_mutexes",
"time": 0.0
},
{
"name": "asyncrat_mutex",
"time": 0.0
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0.0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0.0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0.0
},
{
"name": "execute_binary_via_appvlp",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0.0
},
{
"name": "execute_binary_via_pcalua",
"time": 0.0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0.0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0.0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0.0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0.0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0.0
},
{
"name": "execute_remote_msi",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0.0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0.0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0.0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0.0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0.0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0.0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0.0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0.0
},
{
"name": "ie_martian_children",
"time": 0.0
},
{
"name": "office_martian_children",
"time": 0.0
},
{
"name": "mimics_icon",
"time": 0.0
},
{
"name": "masquerade_process_name",
"time": 0.004
},
{
"name": "mimikatz_modules",
"time": 0.0
},
{
"name": "ms_office_cmd_rce",
"time": 0.0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0.0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0.0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0.0
},
{
"name": "modify_certs",
"time": 0.0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0.0
},
{
"name": "modify_hostfile",
"time": 0.0
},
{
"name": "modify_oem_information",
"time": 0.0
},
{
"name": "modify_security_center_warnings",
"time": 0.0
},
{
"name": "modify_uac_prompt",
"time": 0.0
},
{
"name": "network_dns_blockchain",
"time": 0.0
},
{
"name": "network_dns_opennic",
"time": 0.0
},
{
"name": "network_dns_paste_site",
"time": 0.0
},
{
"name": "network_dns_reverse_proxy",
"time": 0.0
},
{
"name": "network_dns_temp_file_storage",
"time": 0.0
},
{
"name": "network_dns_temp_urldns",
"time": 0.0
},
{
"name": "network_dns_url_shortener",
"time": 0.0
},
{
"name": "network_dns_doh_tls",
"time": 0.0
},
{
"name": "suspicious_tld",
"time": 0.0
},
{
"name": "network_tor_service",
"time": 0.0
},
{
"name": "office_code_page",
"time": 0.0
},
{
"name": "office_addinloading",
"time": 0.0
},
{
"name": "office_perfkey",
"time": 0.0
},
{
"name": "office_macro",
"time": 0.0
},
{
"name": "changes_trust_center_settings",
"time": 0.0
},
{
"name": "disables_vba_trust_access",
"time": 0.0
},
{
"name": "office_macro_autoexecution",
"time": 0.0
},
{
"name": "office_macro_ioc",
"time": 0.0
},
{
"name": "office_macro_malicious_prediction",
"time": 0.0
},
{
"name": "office_macro_suspicious",
"time": 0.0
},
{
"name": "rtf_aslr_bypass",
"time": 0.0
},
{
"name": "rtf_anomaly_characterset",
"time": 0.0
},
{
"name": "rtf_anomaly_version",
"time": 0.0
},
{
"name": "rtf_embedded_content",
"time": 0.0
},
{
"name": "rtf_embedded_office_file",
"time": 0.0
},
{
"name": "rtf_exploit_static",
"time": 0.0
},
{
"name": "office_security",
"time": 0.0
},
{
"name": "accesses_office_username",
"time": 0.0
},
{
"name": "office_anomalous_feature",
"time": 0.0
},
{
"name": "office_dde_command",
"time": 0.0
},
{
"name": "packer_armadillo_mutex",
"time": 0.0
},
{
"name": "packer_armadillo_regkey",
"time": 0.0
},
{
"name": "persistence_ads",
"time": 0.0
},
{
"name": "persistence_safeboot",
"time": 0.0
},
{
"name": "persistence_ifeo",
"time": 0.0
},
{
"name": "persistence_silent_process_exit",
"time": 0.0
},
{
"name": "persistence_rdp_registry",
"time": 0.0
},
{
"name": "persistence_rdp_shadowing",
"time": 0.0
},
{
"name": "persistence_service",
"time": 0.0
},
{
"name": "persistence_shim_database",
"time": 0.0
},
{
"name": "powerpool_mutexes",
"time": 0.0
},
{
"name": "powershell_scriptblock_logging",
"time": 0.0
},
{
"name": "powershell_command_suspicious",
"time": 0.0
},
{
"name": "powershell_history_save_mod",
"time": 0.0
},
{
"name": "powershell_renamed",
"time": 0.0
},
{
"name": "powershell_reversed",
"time": 0.0
},
{
"name": "powershell_variable_obfuscation",
"time": 0.0
},
{
"name": "prevents_safeboot",
"time": 0.0
},
{
"name": "cmdline_process_discovery",
"time": 0.0
},
{
"name": "cryptomix_mutexes",
"time": 0.0
},
{
"name": "dharma_mutexes",
"time": 0.0
},
{
"name": "ransomware_extensions_generic",
"time": 0.0
},
{
"name": "ransomware_extensions_known",
"time": 0.005
},
{
"name": "ransomware_files",
"time": 0.006
},
{
"name": "fonix_mutexes",
"time": 0.0
},
{
"name": "gandcrab_mutexes",
"time": 0.0
},
{
"name": "germanwiper_mutexes",
"time": 0.0
},
{
"name": "medusalocker_mutexes",
"time": 0.0
},
{
"name": "medusalocker_regkeys",
"time": 0.0
},
{
"name": "nemty_mutexes",
"time": 0.0
},
{
"name": "nemty_regkeys",
"time": 0.0
},
{
"name": "pysa_mutexes",
"time": 0.0
},
{
"name": "ransomware_radamant",
"time": 0.0
},
{
"name": "ransomware_recyclebin",
"time": 0.0
},
{
"name": "revil_mutexes",
"time": 0.001
},
{
"name": "ransomware_revil_regkey",
"time": 0.0
},
{
"name": "satan_mutexes",
"time": 0.001
},
{
"name": "snake_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransom_mutexes",
"time": 0.0
},
{
"name": "stop_ransomware_cmd",
"time": 0.0
},
{
"name": "ransomware_stopdjvu",
"time": 0.0
},
{
"name": "rat_beebus_mutexes",
"time": 0.0
},
{
"name": "blacknet_mutexes",
"time": 0.0
},
{
"name": "blackrat_mutexes",
"time": 0.0
},
{
"name": "crat_mutexes",
"time": 0.0
},
{
"name": "dcrat_files",
"time": 0.0
},
{
"name": "dcrat_mutexes",
"time": 0.0
},
{
"name": "rat_fynloski_mutexes",
"time": 0.0
},
{
"name": "limerat_mutexes",
"time": 0.0
},
{
"name": "limerat_regkeys",
"time": 0.001
},
{
"name": "lodarat_file_behavior",
"time": 0.0
},
{
"name": "modirat_behavior",
"time": 0.001
},
{
"name": "njrat_regkeys",
"time": 0.0
},
{
"name": "obliquerat_files",
"time": 0.0
},
{
"name": "obliquerat_mutexes",
"time": 0.0
},
{
"name": "parallax_mutexes",
"time": 0.0
},
{
"name": "rat_pcclient",
"time": 0.001
},
{
"name": "rat_plugx_mutexes",
"time": 0.0
},
{
"name": "rat_poisonivy_mutexes",
"time": 0.0
},
{
"name": "rat_quasar_mutexes",
"time": 0.0
},
{
"name": "ratsnif_mutexes",
"time": 0.0
},
{
"name": "rat_spynet",
"time": 0.0
},
{
"name": "venomrat_mutexes",
"time": 0.0
},
{
"name": "warzonerat_files",
"time": 0.0
},
{
"name": "warzonerat_regkeys",
"time": 0.001
},
{
"name": "xpertrat_files",
"time": 0.0
},
{
"name": "xpertrat_mutexes",
"time": 0.0
},
{
"name": "rat_xtreme_mutexes",
"time": 0.0
},
{
"name": "reads_password_database",
"time": 0.0
},
{
"name": "recon_fingerprint",
"time": 0.001
},
{
"name": "remcos_files",
"time": 0.0
},
{
"name": "remcos_mutexes",
"time": 0.0
},
{
"name": "remcos_regkeys",
"time": 0.0
},
{
"name": "rdptcp_key",
"time": 0.0
},
{
"name": "uses_rdp_clip",
"time": 0.0
},
{
"name": "uses_remote_desktop_session",
"time": 0.0
},
{
"name": "removes_networking_icon",
"time": 0.0
},
{
"name": "removes_pinned_programs",
"time": 0.0
},
{
"name": "removes_security_maintenance_icon",
"time": 0.0
},
{
"name": "removes_startmenu_defaults",
"time": 0.0
},
{
"name": "removes_username_startmenu",
"time": 0.0
},
{
"name": "spicyhotpot_behavior",
"time": 0.0
},
{
"name": "sniffer_winpcap",
"time": 0.0
},
{
"name": "spreading_autoruninf",
"time": 0.0
},
{
"name": "stealth_hidden_extension",
"time": 0.0
},
{
"name": "stealth_hiddenreg",
"time": 0.0
},
{
"name": "stealth_hide_notifications",
"time": 0.0
},
{
"name": "stealth_webhistory",
"time": 0.0
},
{
"name": "sysinternals_psexec",
"time": 0.0
},
{
"name": "sysinternals_tools",
"time": 0.0
},
{
"name": "language_check_registry",
"time": 0.001
},
{
"name": "tampers_etw",
"time": 0.001
},
{
"name": "lsa_tampering",
"time": 0.0
},
{
"name": "tampers_powershell_logging",
"time": 0.0
},
{
"name": "targeted_flame",
"time": 0.0
},
{
"name": "territorial_disputes_sigs",
"time": 0.014
},
{
"name": "trickbot_mutex",
"time": 0.0
},
{
"name": "fleercivet_mutex",
"time": 0.0
},
{
"name": "lokibot_mutexes",
"time": 0.001
},
{
"name": "ursnif_behavior",
"time": 0.001
},
{
"name": "uses_adfind",
"time": 0.0
},
{
"name": "uses_ms_protocol",
"time": 0.0
},
{
"name": "neshta_mutexes",
"time": 0.0
},
{
"name": "renamer_mutexes",
"time": 0.0
},
{
"name": "owa_web_shell_files",
"time": 0.0
},
{
"name": "web_shell_files",
"time": 0.0
},
{
"name": "web_shell_processes",
"time": 0.0
},
{
"name": "dotnet_csc_build",
"time": 0.0
},
{
"name": "mavinject_lolbin",
"time": 0.0
},
{
"name": "multiple_explorer_instances",
"time": 0.0
},
{
"name": "script_tool_executed",
"time": 0.0
},
{
"name": "suspicious_certutil_use",
"time": 0.0
},
{
"name": "suspicious_command_tools",
"time": 0.0
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0.0
},
{
"name": "suspicious_ping_use",
"time": 0.0
},
{
"name": "uses_powershell_copyitem",
"time": 0.0
},
{
"name": "uses_windows_utilities",
"time": 0.0
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0.0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0.0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0.0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0.0
},
{
"name": "uses_windows_utilities_curl",
"time": 0.0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0.0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0.0
},
{
"name": "uses_windows_utilities_finger",
"time": 0.0
},
{
"name": "uses_windows_utilities_mode",
"time": 0.0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0.0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0.0
},
{
"name": "uses_windows_utilities_setx",
"time": 0.0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0.0
},
{
"name": "wmic_command_suspicious",
"time": 0.0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0.0
},
{
"name": "allaple_mutexes",
"time": 0.0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0.0
}
]
},
"target": {
"category": "file",
"file": {
"name": "strings.exe",
"path": "/opt/CAPEv2/storage/binaries/a7553d77edca85bec980e38e69bf0e9f36962f20be0ee759e9a96030d519c5a0",
"guest_paths": "",
"size": 370056,
"crc32": "2063D15D",
"md5": "818a6b4770d7090cfa60d53e4fcb854a",
"sha1": "9efc50edf5a7c92d51503c78efbe755313871e7b",
"sha256": "a7553d77edca85bec980e38e69bf0e9f36962f20be0ee759e9a96030d519c5a0",
"sha512": "03b8574b3948bd54999b33b2d4b7bc0fe27ddbdadb6d0e5b4a2ab97645c071ae32c661b76384aead0bd1594445e1d152ffdae4eda585bbbb55b90610bf40c5f2",
"rh_hash": null,
"ssdeep": "6144:EopCpgg69QIEXbryg1A1KJ7zMKBRyXtghOkm5xKXoulo8+jbjFOuBRlwa:TIpgg69QIEXbrygK1KJ7zMKL7ouloDsB",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"yara": [
{
"name": "IsPE32",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "IsConsole",
"meta": {},
"strings": [],
"addresses": {}
},
{
"name": "HasOverlay",
"meta": {
"author": "_pusher_",
"description": "Overlay Check"
},
"strings": [],
"addresses": {}
},
{
"name": "HasDebugData",
"meta": {
"author": "_pusher_",
"description": "DebugData Check",
"date": "2016-07"
},
"strings": [],
"addresses": {}
},
{
"name": "HasRichSignature",
"meta": {
"author": "_pusher_",
"description": "Rich Signature Check",
"date": "2016-07"
},
"strings": [
"Rich"
],
"addresses": {
"a0": 304520
}
},
{
"name": "VC8_Microsoft_Corporation",
"meta": {},
"strings": [
"{ E8 DC 06 00 00 E9 17 FE FF FF }",
"{ E8 F4 72 00 00 E9 A1 FF FF FF }",
"{ E8 06 00 00 00 E9 62 FF FF FF }",
"{ E8 9F E4 FF FF E9 2A FF FF FF }",
"{ E8 08 00 00 00 E9 E2 FE FF FF }",
"{ E8 04 00 00 00 E9 BB FD FF FF }",
"{ E8 0E 00 00 00 E9 60 FD FF FF }",
"{ E8 93 C2 FF FF E9 AB FE FF FF }",
"{ E8 07 C6 FF FF E9 4E FD FF FF }",
"{ E8 B0 C4 FF FF E9 3B FC FF FF }",
"{ E8 49 C4 FF FF E9 F6 FB FF FF }",
"{ E8 0C 01 00 00 E9 78 FF FF FF }",
"{ E8 13 F0 FF FF E9 DD FE FF FF }",
"{ E8 2C 08 00 00 E9 71 FE FF FF }",
"{ E8 E8 BE FF FF E9 A9 FE FF FF }",
"{ E8 EF BA FF FF E9 8D FE FF FF }",
"{ E8 B3 E3 FF FF E9 6B FF FF FF }",
"{ E8 4C D5 FF FF E9 3D FF FF FF }",
"{ E8 2B C3 FF FF E9 32 FF FF FF }",
"{ E8 82 EC FF FF E9 1A FF FF FF }",
"{ E8 25 08 00 00 E9 0F FF FF FF }",
"{ E8 B0 FC FF FF E9 25 FD FF FF }",
"{ E8 80 00 00 00 E9 A4 FF FF FF }",
"{ E8 99 54 00 00 E9 76 FF FF FF }",
"{ E8 7F 52 00 00 E9 76 FF FF FF }",
"{ E8 56 50 00 00 E9 76 FF FF FF }",
"{ E8 3C 4E 00 00 E9 76 FF FF FF }",
"{ E8 22 4C 00 00 E9 76 FF FF FF }",
"{ E8 F9 49 00 00 E9 76 FF FF FF }",
"{ E8 D2 47 00 00 E9 76 FF FF FF }",
"{ E8 8D 45 00 00 E9 76 FF FF FF }",
"{ E8 39 43 00 00 E9 76 FF FF FF }",
"{ E8 F4 40 00 00 E9 76 FF FF FF }",
"{ E8 AF 3E 00 00 E9 76 FF FF FF }",
"{ E8 5B 3C 00 00 E9 76 FF FF FF }",
"{ E8 06 F5 FF FF E9 35 F5 FF FF }",
"{ E8 91 DF FF FF E9 70 FF FF FF }",
"{ E8 74 18 FC FF E9 DD FF FF FF }",
"{ E8 65 18 FC FF E9 CE FF FF FF }"
],
"addresses": {
"a": 268485
}
},
{
"name": "Microsoft_Visual_Cpp_8",
"meta": {},
"strings": [
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000",
"{ 00 00 00 00 00 00 10 00 00 00 00 00 00 00 98 C0 00 00 00 00 00 00 98 40 00 00 00 00 00 00 F0 7F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 7F 00 00 00 00 00 00 F0 FF 00 00 00 00 00 00 E0 7F 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 }",
"{ 00 00 00 00 00 00 98 C0 00 00 00 00 00 00 98 40 00 00 00 00 00 00 F0 7F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 7F 00 00 00 00 00 00 F0 FF 00 00 00 00 00 00 E0 7F 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 }",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 60 45 00 28 3B 45 00 07 00 00 00 14 52 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 60 45 00 28 3B 45 00 07 00 00 00 14 52 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,nE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001 \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002 \u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002 \u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002 \u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002 \u0000\u0000",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 }",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 62 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000",
"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 23 00 00 }",
"{ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 23 00 00 00 }",
"{ E8 DC 06 00 00 E9 17 FE FF FF }",
"{ E8 F4 72 00 00 E9 A1 FF FF FF }",
"{ E8 06 00 00 00 E9 62 FF FF FF }",
"{ E8 08 00 00 00 E9 E2 FE FF FF }",
"{ E8 04 00 00 00 E9 BB FD FF FF }",
"{ E8 0E 00 00 00 E9 60 FD FF FF }",
"{ E8 0C 01 00 00 E9 78 FF FF FF }",
"{ E8 2C 08 00 00 E9 71 FE FF FF }",
"{ E8 25 08 00 00 E9 0F FF FF FF }",
"{ E8 80 00 00 00 E9 A4 FF FF FF }",
"{ E8 99 54 00 00 E9 76 FF FF FF }",
"{ E8 7F 52 00 00 E9 76 FF FF FF }",
"{ E8 56 50 00 00 E9 76 FF FF FF }",
"{ E8 3C 4E 00 00 E9 76 FF FF FF }",
"{ E8 22 4C 00 00 E9 76 FF FF FF }",
"{ E8 F9 49 00 00 E9 76 FF FF FF }",
"{ E8 D2 47 00 00 E9 76 FF FF FF }",
"{ E8 8D 45 00 00 E9 76 FF FF FF }",
"{ E8 39 43 00 00 E9 76 FF FF FF }",
"{ E8 F4 40 00 00 E9 76 FF FF FF }",
"{ E8 AF 3E 00 00 E9 76 FF FF FF }",
"{ E8 5B 3C 00 00 E9 76 FF FF FF }"
],
"addresses": {
"a": 360883,
"b": 103880
}
}
],
"cape_yara": [],
"clamav": [],
"tlsh": "T1F1745B11B9C0C032D6B33D304AB8E2B15D7E79706D349A9FA39815795F34A81EA35B2F",
"sha3_384": "393cdcf37e1564c442e7c761db8e2b42d4a85da20c76746e0c4a57dca26cbe4be467d3a3d5ea7b215e75cd7501446773",
"yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
"options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": "Tue Jun 22 14:25:08 2021",
"aux_valid": true,
"aux_error": null,
"aux_error_desc": null,
"aux_signers": [
{
"name": "Certificate Chain 1",
"Issued to": "Microsoft Root Certificate Authority 2011",
"Issued by": "Microsoft Root Certificate Authority 2011",
"Expires": "Sun Mar 23 01:13:04 2036",
"SHA1 hash": "8f43288ad272f3103b6fb1428485ea3014c0bcfe"
},
{
"name": "Certificate Chain 2",
"Issued to": "Microsoft Code Signing PCA 2011",
"Issued by": "Microsoft Root Certificate Authority 2011",
"Expires": "Thu Jul 09 00:09:09 2026",
"SHA1 hash": "f252e794fe438e35ace6e53762c0a234a2c52135"
},
{
"name": "Certificate Chain 3",
"Issued to": "Microsoft Corporation",
"Issued by": "Microsoft Code Signing PCA 2011",
"Expires": "Fri Dec 03 00:31:45 2021",
"SHA1 hash": "abdca79af9dd48a0ea702ad45260b3c03093fb4b"
},
{
"name": "Timestamp Chain 1",
"Issued to": "Microsoft Root Certificate Authority 2010",
"Issued by": "Microsoft Root Certificate Authority 2010",
"Expires": "Sun Jun 24 01:04:01 2035",
"SHA1 hash": "3b1efd3a66ea28b16697394703a72ca340a05bd5"
},
{
"name": "Timestamp Chain 2",
"Issued to": "Microsoft Time-Stamp PCA 2010",
"Issued by": "Microsoft Root Certificate Authority 2010",
"Expires": "Wed Jul 02 00:46:55 2025",
"SHA1 hash": "2aa752fe64c49abe82913c463529cf10ff2f04ee"
},
{
"name": "Timestamp Chain 3",
"Issued to": "Microsoft Time-Stamp Service",
"Issued by": "Microsoft Time-Stamp PCA 2010",
"Expires": "Mon Apr 11 22:02:20 2022",
"SHA1 hash": "fb329274758b44dcc8972a875715d980a9d9d0a2"
}
]
},
"digital_signers": [],
"imagebase": "0x00400000",
"entrypoint": "0x00004019",
"ep_bytes": "e8dc060000e917feffff558bec6a00ff",
"peid_signatures": null,
"reported_checksum": "0x000615d6",
"actual_checksum": "0x000615d6",
"osversion": "6.0",
"machine_type": "IMAGE_FILE_MACHINE_I386",
"pdbpath": "D:\\a\\1\\s\\Win32\\Release\\strings.pdb",
"imports": {
"VERSION": {
"dll": "VERSION.dll",
"imports": [
{
"address": "0x4451f8",
"name": "VerQueryValueW"
},
{
"address": "0x4451fc",
"name": "VerQueryValueA"
},
{
"address": "0x445200",
"name": "GetFileVersionInfoW"
},
{
"address": "0x445204",
"name": "GetFileVersionInfoA"
},
{
"address": "0x445208",
"name": "GetFileVersionInfoSizeW"
},
{
"address": "0x44520c",
"name": "GetFileVersionInfoSizeA"
}
]
},
"KERNEL32": {
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x445044",
"name": "GetVersionExA"
},
{
"address": "0x445048",
"name": "LoadLibraryExA"
},
{
"address": "0x44504c",
"name": "GetCurrentDirectoryA"
},
{
"address": "0x445050",
"name": "CreateFileA"
},
{
"address": "0x445054",
"name": "FindClose"
},
{
"address": "0x445058",
"name": "FindFirstFileA"
},
{
"address": "0x44505c",
"name": "FindNextFileA"
},
{
"address": "0x445060",
"name": "GetFullPathNameA"
},
{
"address": "0x445064",
"name": "ReadFile"
},
{
"address": "0x445068",
"name": "SetFilePointer"
},
{
"address": "0x44506c",
"name": "CloseHandle"
},
{
"address": "0x445070",
"name": "GetLastError"
},
{
"address": "0x445074",
"name": "SetLastError"
},
{
"address": "0x445078",
"name": "FormatMessageA"
},
{
"address": "0x44507c",
"name": "FreeEnvironmentStringsW"
},
{
"address": "0x445080",
"name": "GetEnvironmentStringsW"
},
{
"address": "0x445084",
"name": "MultiByteToWideChar"
},
{
"address": "0x445088",
"name": "GetCPInfo"
},
{
"address": "0x44508c",
"name": "GetOEMCP"
},
{
"address": "0x445090",
"name": "GetACP"
},
{
"address": "0x445094",
"name": "IsValidCodePage"
},
{
"address": "0x445098",
"name": "FindNextFileW"
},
{
"address": "0x44509c",
"name": "FindFirstFileExW"
},
{
"address": "0x4450a0",
"name": "OutputDebugStringW"
},
{
"address": "0x4450a4",
"name": "SetFilePointerEx"
},
{
"address": "0x4450a8",
"name": "LocalFree"
},
{
"address": "0x4450ac",
"name": "LocalAlloc"
},
{
"address": "0x4450b0",
"name": "GetProcAddress"
},
{
"address": "0x4450b4",
"name": "GetModuleHandleA"
},
{
"address": "0x4450b8",
"name": "GetCommandLineW"
},
{
"address": "0x4450bc",
"name": "GetModuleFileNameW"
},
{
"address": "0x4450c0",
"name": "GetStdHandle"
},
{
"address": "0x4450c4",
"name": "GetFileType"
},
{
"address": "0x4450c8",
"name": "GetModuleFileNameA"
},
{
"address": "0x4450cc",
"name": "SetEnvironmentVariableW"
},
{
"address": "0x4450d0",
"name": "GetProcessHeap"
},
{
"address": "0x4450d4",
"name": "SetConsoleCtrlHandler"
},
{
"address": "0x4450d8",
"name": "HeapSize"
},
{
"address": "0x4450dc",
"name": "HeapReAlloc"
},
{
"address": "0x4450e0",
"name": "WriteConsoleW"
},
{
"address": "0x4450e4",
"name": "GetCurrentProcess"
},
{
"address": "0x4450e8",
"name": "GetSystemTimeAsFileTime"
},
{
"address": "0x4450ec",
"name": "UnhandledExceptionFilter"
},
{
"address": "0x4450f0",
"name": "SetUnhandledExceptionFilter"
},
{
"address": "0x4450f4",
"name": "TerminateProcess"
},
{
"address": "0x4450f8",
"name": "IsProcessorFeaturePresent"
},
{
"address": "0x4450fc",
"name": "QueryPerformanceCounter"
},
{
"address": "0x445100",
"name": "GetCurrentProcessId"
},
{
"address": "0x445104",
"name": "GetCurrentThreadId"
},
{
"address": "0x445108",
"name": "DecodePointer"
},
{
"address": "0x44510c",
"name": "InitializeSListHead"
},
{
"address": "0x445110",
"name": "IsDebuggerPresent"
},
{
"address": "0x445114",
"name": "GetStartupInfoW"
},
{
"address": "0x445118",
"name": "GetModuleHandleW"
},
{
"address": "0x44511c",
"name": "InterlockedPushEntrySList"
},
{
"address": "0x445120",
"name": "InterlockedFlushSList"
},
{
"address": "0x445124",
"name": "RtlUnwind"
},
{
"address": "0x445128",
"name": "EnterCriticalSection"
},
{
"address": "0x44512c",
"name": "LeaveCriticalSection"
},
{
"address": "0x445130",
"name": "DeleteCriticalSection"
},
{
"address": "0x445134",
"name": "InitializeCriticalSectionAndSpinCount"
},
{
"address": "0x445138",
"name": "TlsAlloc"
},
{
"address": "0x44513c",
"name": "TlsGetValue"
},
{
"address": "0x445140",
"name": "TlsSetValue"
},
{
"address": "0x445144",
"name": "TlsFree"
},
{
"address": "0x445148",
"name": "FreeLibrary"
},
{
"address": "0x44514c",
"name": "LoadLibraryExW"
},
{
"address": "0x445150",
"name": "EncodePointer"
},
{
"address": "0x445154",
"name": "RaiseException"
},
{
"address": "0x445158",
"name": "SetStdHandle"
},
{
"address": "0x44515c",
"name": "ExitProcess"
},
{
"address": "0x445160",
"name": "GetModuleHandleExW"
},
{
"address": "0x445164",
"name": "GetConsoleCP"
},
{
"address": "0x445168",
"name": "WriteFile"
},
{
"address": "0x44516c",
"name": "GetCommandLineA"
},
{
"address": "0x445170",
"name": "HeapAlloc"
},
{
"address": "0x445174",
"name": "HeapFree"
},
{
"address": "0x445178",
"name": "GetDateFormatW"
},
{
"address": "0x44517c",
"name": "GetTimeFormatW"
},
{
"address": "0x445180",
"name": "CompareStringW"
},
{
"address": "0x445184",
"name": "LCMapStringW"
},
{
"address": "0x445188",
"name": "GetLocaleInfoW"
},
{
"address": "0x44518c",
"name": "IsValidLocale"
},
{
"address": "0x445190",
"name": "GetUserDefaultLCID"
},
{
"address": "0x445194",
"name": "EnumSystemLocalesW"
},
{
"address": "0x445198",
"name": "GetCurrentThread"
},
{
"address": "0x44519c",
"name": "FlushFileBuffers"
},
{
"address": "0x4451a0",
"name": "GetConsoleOutputCP"
},
{
"address": "0x4451a4",
"name": "GetConsoleMode"
},
{
"address": "0x4451a8",
"name": "WideCharToMultiByte"
},
{
"address": "0x4451ac",
"name": "CreateFileW"
},
{
"address": "0x4451b0",
"name": "SetConsoleMode"
},
{
"address": "0x4451b4",
"name": "GetNumberOfConsoleInputEvents"
},
{
"address": "0x4451b8",
"name": "ReadConsoleInputW"
},
{
"address": "0x4451bc",
"name": "PeekConsoleInputA"
},
{
"address": "0x4451c0",
"name": "ReadConsoleW"
},
{
"address": "0x4451c4",
"name": "GetStringTypeW"
},
{
"address": "0x4451c8",
"name": "GetFileSizeEx"
}
]
},
"USER32": {
"dll": "USER32.dll",
"imports": [
{
"address": "0x4451d0",
"name": "LoadCursorA"
},
{
"address": "0x4451d4",
"name": "InflateRect"
},
{
"address": "0x4451d8",
"name": "GetSysColorBrush"
},
{
"address": "0x4451dc",
"name": "SetCursor"
},
{
"address": "0x4451e0",
"name": "SetWindowTextA"
},
{
"address": "0x4451e4",
"name": "GetDlgItem"
},
{
"address": "0x4451e8",
"name": "EndDialog"
},
{
"address": "0x4451ec",
"name": "DialogBoxIndirectParamA"
},
{
"address": "0x4451f0",
"name": "SendMessageA"
}
]
},
"GDI32": {
"dll": "GDI32.dll",
"imports": [
{
"address": "0x445028",
"name": "StartPage"
},
{
"address": "0x44502c",
"name": "EndDoc"
},
{
"address": "0x445030",
"name": "StartDocA"
},
{
"address": "0x445034",
"name": "SetMapMode"
},
{
"address": "0x445038",
"name": "GetDeviceCaps"
},
{
"address": "0x44503c",
"name": "EndPage"
}
]
},
"COMDLG32": {
"dll": "COMDLG32.dll",
"imports": [
{
"address": "0x445020",
"name": "PrintDlgA"
}
]
},
"ADVAPI32": {
"dll": "ADVAPI32.dll",
"imports": [
{
"address": "0x445000",
"name": "RegQueryValueExW"
},
{
"address": "0x445004",
"name": "RegQueryValueExA"
},
{
"address": "0x445008",
"name": "RegOpenKeyExA"
},
{
"address": "0x44500c",
"name": "RegOpenKeyA"
},
{
"address": "0x445010",
"name": "RegCreateKeyA"
},
{
"address": "0x445014",
"name": "RegCloseKey"
},
{
"address": "0x445018",
"name": "RegSetValueExA"
}
]
}
},
"exported_dll_name": null,
"exports": [],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0005486c",
"size": "0x0000008c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x00058000",
"size": "0x00000588"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00058200",
"size": "0x00002388"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x00059000",
"size": "0x000026c0"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x0005374c",
"size": "0x00000054"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x000537a0",
"size": "0x00000040"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00045000",
"size": "0x00000214"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x00043df1",
"size_of_data": "0x00043e00",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.61"
},
{
"name": ".rdata",
"raw_address": "0x00044200",
"virtual_address": "0x00045000",
"virtual_size": "0x00010468",
"size_of_data": "0x00010600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "4.89"
},
{
"name": ".data",
"raw_address": "0x00054800",
"virtual_address": "0x00056000",
"virtual_size": "0x00001d8c",
"size_of_data": "0x00000c00",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "2.61"
},
{
"name": ".rsrc",
"raw_address": "0x00055400",
"virtual_address": "0x00058000",
"virtual_size": "0x00000588",
"size_of_data": "0x00000600",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "3.91"
},
{
"name": ".reloc",
"raw_address": "0x00055a00",
"virtual_address": "0x00059000",
"virtual_size": "0x000026c0",
"size_of_data": "0x00002800",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "6.61"
}
],
"overlay": {
"offset": "0x00058200",
"size": "0x00002388"
},
"resources": [
{
"name": "RT_VERSION",
"offset": "0x000580a0",
"size": "0x00000368",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "3.41"
},
{
"name": "RT_MANIFEST",
"offset": "0x00058408",
"size": "0x0000017d",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "4.91"
}
],
"versioninfo": [
{
"name": "CompanyName",
"value": "Sysinternals - www.sysinternals.com"
},
{
"name": "FileDescription",
"value": "Search for ANSI and Unicode strings in binary images."
},
{
"name": "FileVersion",
"value": "2.54"
},
{
"name": "InternalName",
"value": "Strings"
},
{
"name": "LegalCopyright",
"value": "Copyright (C) 1999-2021 Mark Russinovich"
},
{
"name": "OriginalFilename",
"value": "strings.exe"
},
{
"name": "ProductName",
"value": "Sysinternals Strings"
},
{
"name": "ProductVersion",
"value": "2.54"
},
{
"name": "Translation",
"value": "0x0409 0x04b0"
}
],
"imphash": "03a0e8da139a5eed63cd002618eb6590",
"timestamp": "2021-06-22 11:24:59",
"icon": null,
"icon_hash": null,
"icon_fuzzy": null,
"icon_dhash": null,
"imported_dll_count": 6
},
"data": null,
"strings": [
"-0D0m0",
"ar-IQ",
"0@0U0k0x0",
":(:@:\\:|:",
"ms-bn",
"ru-ru",
"`default constructor closure'",
"1 1@1`1",
"quz-ec",
"8+9Y9u9",
"UNKNOWN",
"l/accepteula",
" tel quel ",
"0'1t1",
"uz-uz-cyrl",
".rsrc",
"?@?[?",
"jdh(?E",
"GetModuleHandleExW",
"de-at",
"FlushFileBuffers",
"\\'b7\\tab Internet-based services, and \\par",
"DOCUMENTATION",
"tlj*Yf",
"EndDialog",
"5\"595?5E5K5Q5W5]5r5",
"dddd, MMMM dd, yyyy",
" un usage particulier et d'absence de contrefa",
"NX9^`t1",
"SPSVQ",
"ar-jo",
"4(4H4h4",
"hi-IN",
"10h0o0t0x0|0",
"QQSVWd",
"bf&!D",
"License Agreement",
"",
"united-kingdom",
"The software is licensed, not sold.This agreement only gives you some rights to use the software.Sysinternals reserves all other rights.Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not",
"az-AZ-Cyrl",
"ka-ge",
"norwegian-bokmal",
"EndPage",
"cs-CZ",
"Legal_policy_statement",
"0/090",
"\\StringFileInfo\\%04X%04X\\%s",
"norwegian-nynorsk",
"iotuap",
"protected: ",
"eu-es",
"4!4V4g4",
"S0Q0O",
"5I5",
"",
"short ",
"\\pard\\fi-363\\li720\\sb120\\sa120\\tx720\\'b7\\tab les r\\'e9clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit\\'e9 stricte, de n\\'e9gligence ou d'une autre faute dans la limite autoris\\'e9e par la loi en vigueur.\\par",
"swedish-finland",
"tEJ!U*",
"4(444",
"0?1\\1",
"111J1l1",
"cy-gb",
"< t3<",
"QQSVj8j@",
"__clrcall",
"ml-IN",
"No strings found.",
";9;i;",
"swiss",
"GetStringTypeW",
"api-ms-win-core-string-l1-1-0",
"cs-cz",
"EnumSystemLocalesW",
"Microsoft Code Signing PCA 20110",
"strings.exe",
"zh-mo",
"DeleteCriticalSection",
"sr-ba-cyrl",
"j$Yf9",
"9C`u99C\\t4",
"GetNumberOfConsoleInputEvents",
"tant distribu",
"2$2,242<2D2L2T2\\2d2l2t2|2",
"\\fs20 11.\\tab\\fs19 Disclaimer of Warranty.\\caps0 \\caps The software is licensed \"as - is.\" You bear the risk of using it. SYSINTERNALS gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, SYSINTERNALS excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.\\par",
"ft&9q",
"50666B6`6f6",
"es-NI",
"de-DE",
"te-IN",
"PuO'a",
"GetUserObjectInformationW",
"en-ca",
"InternalName",
"__int8",
">B>$?",
"\\caps\\fs20 8.\\tab\\fs19 Entire Agreement.\\b0\\caps0 This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.\\par",
" votre ",
"Wow64DisableWow64FsRedirection",
".?AVDNameStatusNode@@",
".CRT$XTZ",
"az-AZ-Latn",
"This agreement describes certain legal rights.You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the software.This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.",
"0,000L0P0X0`0h0l0t0",
" ",
"ta-in",
"*tI=+",
"\\pard\\sb120\\sa120\\b0\\fs19 These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals\\par",
"5ineI",
"950nE",
"GetStdHandle",
"es-cl",
"it-ch",
"RaiseException",
"'0<0Q0",
"CONIN$",
":);/;A;R;r;",
"GetConsoleMode",
"jXXf;",
"-a Ascii-only search (Unicode and Ascii is default)",
"portuguese-brazilian",
"smj-no",
"5,6 7`7l8",
"WriteConsoleW",
"GetCommandLineA",
"-s Recurse subdirectories",
"HPjPW",
"ms-MY",
"frexp",
"435D5U5",
"2#2(2-2H2R2^2c2h2",
"america",
"?@s-f",
"GetLastError",
"usage: %s [-a] [-f offset] [-b bytes] [-n length] [-o] [-s] [-u] ",
"mn-mn",
"DialogBoxIndirectParamA",
"`vftable'",
"pt-br",
"{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fswiss\\fprq2\\fcharset0 Tahoma;}{\\f1\\fnil\\fcharset0 Calibri;}}",
"1<2i2",
"bn-in",
"MessageBoxW",
"spanish-mexican",
"SYSINTERNALS SOFTWARE LICENSE TERMS",
"5a6~6\"9",
" POUR LES DOMMAGES.Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement ",
"sr-sp-latn",
"\\'b7\\tab support services\\par",
".CRT$XCA",
"const ",
";(?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
"gligence ou d'une autre faute dans la limite autoris",
"es-SV",
"3 3(30383@3H3P3X3`3h3p3x3",
"mWQO)",
";%\\>k>",
"spanish-puerto rico",
"Y_^[]",
"=d>}>",
"on sont exclues.",
"`managed vector destructor iterator'",
"GetModuleHandleW",
">#>+>?>`>e>k>q>w>",
"j.Yf;",
".CRT$XCAA",
"const",
"%04u:",
"smn-fi",
"ar-lb",
"Thales TSS ESN:897A-E356-17011%0#",
"%s License Agreement",
"3$3,343<3D3L3T3\\3d3l3t3|3",
"VarFileInfo",
"te-in",
" ",
"220411190220Z0",
">4>:>F>c>i>",
"1#SNAN",
"",
"5#5@5d5",
"Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z",
"r}f;u",
"gard.",
"91:7:",
"en-zw",
"south-korea",
"cli::array<",
"March",
"api-ms-win-appmodel-runtime-l1-1-2",
"y9SVW",
"1S1^1",
"GetLocaleInfoEx",
"> >(>0>8>@>H>P>X>",
"char16_t",
".rdata$CastGuardVftablesC",
"G;~8u",
" Base Class Array'",
"chinese-hongkong",
"5W6l6u6~6",
"*make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;",
"415B5V9",
"j,Yf;",
"ar-LY",
"zh-cht",
"es-HN",
"RegCloseKey",
"CONOUT$",
".CRT$XCZ",
"ar-tn",
")Microsoft Root Certificate Authority 20100",
"ar-SY",
"$u;8H",
"=6>e>",
"syr-sy",
"zh-sg",
";g<`=",
"1 1$1(1,1",
"u,PQRS",
"zh-CHT",
"u,f9F",
"operator<=>",
"\\'b7\\tab transfer the software or this agreement to any third party; or\\par",
"324=4q4",
"LoadLibraryExW",
"rkf;u",
"__stdcall",
"`template-parameter-",
"/accepteula",
"sma-NO",
"Y_[^]",
"3.4?4H4t7X>`>",
"[thunk]:",
"r\\f;u",
"ext-ms-",
"@.reloc",
"iu+-,",
"vus par les lois de votre pays. Le pr",
"Microsoft Corporation1&0$",
"RegQueryValueExA",
"Tuesday",
"virtual ",
"w>t6;",
"pt-PT",
"GetFileType",
"9?:E:",
"tHSVWP",
"0$0)0.0>0C0H0X0]0b0r0w0|0",
"Rhu]@",
"5X5a5q5",
"hr-BA",
"italian-swiss",
"1(1.1J1P1\\1z1",
"j\"Xf9",
"en-ZA",
"cli::pin_ptr<",
">%>7>I>[>m>",
"fa-IR",
"4$5H5S5`5r5",
"Accept Eula (Y/N)?",
"QueryPerformanceCounter",
" ",
">[>y>",
"german-austrian",
"VERSION.dll",
"SCOPE OF LICENSE",
"CompareStringEx",
"6(6E6W6]6f6l6",
"<#<)D>K>s>",
"t\"h|RD",
"%04d:",
"354}E",
"zSSSSj",
"4 4(40484@4H4P4X4`4h4p4x4",
"nl-nl",
"3http://www.microsoft.com/pkiops/docs/primarycps.htm0@",
"th-TH",
"/PjSW",
"`managed vector constructor iterator'",
"bs-ba-latn",
"puerto-rico",
"0B1\\1l1",
"VS_VERSION_INFO",
".CRT$XIAC",
"eu-ES",
"fr-fr",
"20210623125524Z0w0=",
"9!9d9",
"az-az-latn",
"AppPolicyGetWindowingModel",
"j:Xf;",
" Microsoft Operations Puerto Rico1&0$",
"EXPORT RESTRICTIONS",
"Washington1",
"tout ce qui est reli",
"de-LU",
"0 0$0(0,0004080<0@0D0H0L0P0T0X0\\0`0d0h0l0p0t0x0|0",
"sl-si",
"@.data",
"fr-MC",
"Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.",
"tt-RU",
"es-pa",
"`typeof'",
"`template static data member destructor helper'",
")Microsoft Root Certificate Authority 20110",
"\\pard\\sb120\\sa120 for this software, unless other terms accompany those items. If so, those terms apply.\\par",
"4(4D4Y4^4c4",
"sv-fi",
"PPPPP",
"6>9s9",
"8!898Q8i8",
"english-jamaica",
"ar-MA",
"ar-eg",
"ms-my",
"zu-ZA",
"`udt returning'",
"GetProcessHeap",
"r_f;u",
"wchar_t",
"<$=(=,=0=4=8=<=W=a=t=y=",
"3U3}3l5",
"`eh vector vbase copy constructor iterator'",
".rdata$sxdata",
"GetCurrentProcess",
"class ",
"December",
"LoadLibraryExA",
"URPQQh",
"floor",
"IsDebuggerPresent",
":&;J;U;c;",
"sent contrat d",
"1 1(10181@1H1P1X1`1h1p1x1",
"TS ET EXCLUSION DE RESPONSABILIT",
"ar-ly",
" ",
"==>h>}>",
"es-CO",
"english-can",
"VWj=S",
"InflateRect",
"35<}E",
"t3SVj",
"cointerface ",
"=>=D=P=m=s=",
"ar-ma",
"is-is",
"3o4@54617",
"-PjWW",
"\"B <1=",
"2*323@3N3_3",
" d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit",
"BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.",
"se-NO",
"FindFirstFileA",
"7!7;7h7o7P:",
"pwMt?",
"sw-KE",
"Saturday",
"spanish-panama",
">^?d?s?y?",
"obwQ4",
"Sysinternals Strings",
"",
"PPPPj",
"Microsoft Corporation1",
"ril.Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez b",
"WSVPP",
"?5Wg4p",
"\\caps\\fs20 2.\\tab\\fs19 Scope of License\\caps0 .\\b0 The software is licensed, not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not\\b\\par",
"\\pard\\li360\\sb120\\sa120 It also applies even if Sysinternals knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.\\par",
"EndDoc",
"0G1'4",
"__swift_1",
"ky-KG",
"?.?8?R?`?",
"4k4r4",
"StartPage",
"tre l'",
"Sysinternals - www.sysinternals.com",
"AppPolicyGetThreadInitializationType",
"?r?{?",
"",
"english-uk",
";FW>u>",
".rtc$IAA",
"?>?S?i?",
"<(?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
"mk-mk",
".?AVtype_info@@",
"rJf;u",
"* claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.",
"97:<:",
"GetCurrentThread",
"Microsoft Corporation1(0&",
"es-ec",
"pt-pt",
"PRPQh",
" LIMITATION DES DOMMAGES - INT",
"DLYwh",
"-b Bytes of file to scan",
"ar-DZ",
"quz-PE",
"GetCommandLineW",
"sma-SE",
"8(8.848:8@8F8L8R8X8^8d8j8",
"9!:(:W:^:",
"747S7e7",
"9(9,9<9@9D9L9d9t9x9",
"de-ch",
"char ",
"SetFilePointerEx",
"se-se",
"sq-AL",
"#0.030K0[0u0",
" stricte, de n",
"FileDescription",
"u29K\\t-",
"SSSSj",
"es-ES",
"2(2J2d2",
"5#515=5X5l5",
"__swift_2",
"NAN(IND)",
" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~",
"operator co_await",
";SX>",
"GetLastActivePopup",
"AppPolicyGetShowDeveloperDiagnostic",
"lv-LV",
"es-do",
"{\\*\\generator Riched20 10.0.10240}\\viewkind4\\uc1 ",
"api-ms-win-security-systemfunctions-l1-1-0",
"\\pard\\keepn\\fi-360\\li720\\sb120\\sa120\\tx720\\lang1036\\'b7\\tab tout ce qui est reli\\'e9 au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et\\par",
"If you comply with these license terms, you have the rights below.",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"xh-za",
"en-jm",
"QQSVW",
"1^2s2",
"NAN(SNAN)",
"*030>0E0X0f0l0r0x0~0",
">@s5f",
"GetCPInfo",
"e par la loi en vigueur.",
"%s v%s - %s",
"operator \"\" ",
"RegSetValueExA",
"oK0D$\"<",
"great britain",
"1$1,141<1D1L1T1\\1d1l1t1|1",
"5. \\tab\\fs19 DOCUMENTATION.\\b0 Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.\\b\\par",
">G?Y?",
"pl-pl",
".Toute utilisation de ce logiciel est ",
" volatile",
"1http://www.microsoft.com/PKI/docs/CPS/default.htm0@",
"tn-ZA",
"be-by",
"USER32.dll",
":V;Z;^;b;f;j;n;r;",
"Microsoft Visual C++ Runtime Library",
"LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES",
"english-trinidad y tobago",
"`template-type-parameter-",
"9$9C9",
"english-belize",
"zh-cn",
"r5f;u",
"__fastcall",
"4L5}5",
"es-pr",
"en-bz",
"5\"5-545<6",
"std::nullptr_t",
"v2!L.2",
".idata$6",
"@hX*E",
"ar-ye",
"kok-in",
"SPjdVQ",
"#.X'=",
"2$3A3`3",
"x!j$Xf9",
"9F:O:",
"1N1\\1c1j1t1{1",
"SetFilePointer",
"fr-lu",
"english-usa",
"`adjustor{",
"english-us",
" Type Descriptor'",
"8K9T9l9",
"F2jgYf;",
"R0P0N",
"fr-CA",
"es-PR",
">\">0>8>P>i>",
"<*<4<=<",
"hu-hu",
"SetUnhandledExceptionFilter",
"xh-ZA",
"(Ht5F",
"`vbase destructor'",
".?AVbad_exception@std@@",
"th-th",
"`string'",
"GetOEMCP",
"8(8H8d8h8",
"909p9v9",
"sk-sk",
"bn-IN",
"6%7>7j7",
"german-luxembourg",
" votre seule risque et p",
"ca-es",
"\\pard\\sa200\\sl276\\slmult1\\f1\\fs22\\lang9\\par",
"InitializeCriticalSectionAndSpinCount",
"trinidad & tobago",
"9E WW",
"t4",
"long ",
"0\"080>0J0b0h0u0",
"tR<0|",
" Class Hierarchy Descriptor'",
"char8_t",
"HH:mm:ss",
"SendMessageA",
"3 3-3:3K3u3",
"sent contrat ne modifie pas les droits que vous conf",
"es-DO",
"s\\StringFileInfo\\%04X%04X\\%s",
"C;^8u",
"<,=D=w=",
" ",
"* work around any technical limitations in the software;",
"@_^[]",
".rsrc$01",
"162d2k2w2",
".CRT$XPX",
"5Genu",
"rYf;u",
"8&8Q8f8",
"(HtMf",
"9=0nE",
"0;0d0y0",
"-nobanner",
"jjjjj",
"9 :c:q:",
"ReadConsoleW",
"1/0-0",
"9'9R9t9",
"kernel32",
"GetFullPathNameA",
"1#IND",
"sr-sp-cyrl",
"StartDocA",
"FFG;}",
"",
"zh-MO",
"nn-no",
"?!?)?G?O?",
"nb-NO",
"\\pard\\fi-363\\li720\\sb120\\sa120\\tx720\\b0\\'b7\\tab work around any technical limitations in the binary versions of the software;\\par",
"~1WPQ",
"`eh vector constructor iterator'",
"pt-BR",
"kn-IN",
"EncodePointer",
"110708205909Z",
"\\pard\\fi-360\\li360\\sb120\\sa120\\tx360\\fs20 12.\\tab\\fs19 Limitation on and Exclusion of Remedies and Damages. You can recover from SYSINTERNALS and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.\\par",
"Dapi-ms-win-core-datetime-l1-1-1",
"\\caps\\fs20 6.\\tab\\fs19 Export Restrictions\\caps0 .\\b0 The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see {\\cf1\\ul{\\field{\\*\\fldinst{HYPERLINK www.microsoft.com/exporting }}{\\fldrslt{www.microsoft.com/exporting}}}}\\cf1\\ul\\f0\\fs19 <{{\\field{\\*\\fldinst{HYPERLINK \"http://www.microsoft.com/exporting\"}}{\\fldrslt{http://www.microsoft.com/exporting}}}}\\f0\\fs19 >\\cf0\\ulnone .\\b\\par",
"GetUserDefaultLocaleName",
"U0S0Q",
"tr-TR",
"1*272f2r2",
"w>(?4?l?",
"{for ",
"April",
"LocaleNameToLCID",
"8?8^8y8",
";7,?S?c?",
"585=5i5z5",
"202;2U2w2",
"mi-nz",
"GetTimeFormatW",
"ukWj<",
"id-id",
"687z7",
"GetDateFormatEx",
"es-sv",
" delete[]",
"se-SE",
"425C5T5l5",
"__restrict",
"sr-SP-Latn",
"enum ",
"1(0&0",
" Complete Object Locator'",
"rMf;u",
"Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^",
"November",
".rdata$r",
"5 5$5(5,5054585<5@5L5P5T5X5\\5`5d5h5l5p5t5x5|5",
"ext-ms-win-ntuser-windowstation-l1-1-0",
"\\b EFFET JURIDIQUE.\\b0 Le pr\\'e9sent contrat d\\'e9crit certains droits juridiques. Vous pourriez avoir d'autres droits pr\\'e9vus par les lois de votre pays. Le pr\\'e9sent contrat ne modifie pas les droits que vous conf\\'e8rent les lois de votre pays si celles-ci ne le permettent pas.\\b\\par",
"&Print",
": :$:(:0:H:X:\\:l:p:x:",
"es-VE",
"6,6Z6d6",
"?L?a?r?",
"LocalAlloc",
"LC_MONETARY",
"ka-GE",
"\\pard\\keepn\\fi-360\\li360\\sb120\\sa120\\tx360\\cf2\\b\\caps\\fs20 9.\\tab\\fs19 Applicable Law\\caps0 .\\par",
"GetCurrentDirectoryA",
"\\0.F;",
"$`2X`F",
";6<|<",
"\\VarFileInfo\\Translation",
"*supplements,",
"pa-in",
"quz-BO",
"belgian",
"mt-mt",
"`.rdata",
"ar-om",
"C WVP",
"\\pard\\fi-363\\li720\\sb120\\sa120\\'b7\\tab reverse engineer, decompile or disassemble the binary versions of the software, except and only to the extent that applicable law expressly permits, despite this limitation;\\par",
"`vector copy constructor iterator'",
"<#=5=A=c=j=",
";/;>;C;H;f;~;",
"F4_^[",
"ja-jp",
"`vector destructor iterator'",
"GetEnvironmentStringsW",
"9(:4:@:L:X:\\:`:p;t;x;",
"HeapSize",
"zh-CHS",
"rqf;u",
"french-swiss",
"\\pard\\fi-357\\li357\\sb120\\sa120\\tx360\\b\\fs20 3.\\tab SENSITIVE INFORMATION. \\b0 Please be aware that, similar to other debug tools that capture \\ldblquote process state\\rdblquote information, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.\\b\\par",
" EXON",
"BVj(j",
"PPPPPWS",
"5(5H5h5",
"clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit",
"5 5,585D5P5\\5h5t5",
"english-south africa",
"da-DK",
"GetFileVersionInfoSizeA",
"__based(",
">http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0",
"es-mx",
"6$6,646<6D6L6T6\\6d6l6t6|6",
"it-CH",
"9F:W:b:",
"`placement delete closure'",
"fr-ch",
"LCMapStringW",
"383A3L3",
"et-EE",
"api-ms-win-core-sysinfo-l1-2-1",
"uf_^[",
"\\'b7\\tab use the software for commercial software hosting services.\\par",
"syr-SY",
"nl-BE",
"se-fi",
"ro-RO",
"818q9",
"HeapAlloc",
"0:1S4d4c5i5o5u5?6N6g6u6{6",
"\\'b7\\tab make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;\\par",
"spanish-peru",
"IsValidLocaleName",
"This limitation applies to",
"kok-IN",
"Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0",
"FileVersion",
".rdata$zzzdbg",
"<$<.",
"1/191Q1m1",
"\\pard\\brdrt\\brdrs\\brdrw10\\brsp20 \\sb120\\sa120 If you comply with these license terms, you have the rights below.\\par",
"ciaux, indirects ou accessoires et pertes de b",
"t1RWV",
"2(242@2L2X2d2p2|2",
"en-US",
"french-belgian",
"SetConsoleCtrlHandler",
"\\'b7\\tab publish the software for others to copy;\\par",
"fi-FI",
"ar-kw",
"`vbtable'",
"6;6`6",
"void ",
"FlsSetValue",
"GetModuleFileNameW",
"SUPPORT SERVICES",
"-f File offset at which to start scanning.",
"These license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microsoft Corporation) and you.Please read them.They apply to the software you are downloading from technet.microsoft.com / sysinternals, which includes the media on which you received it, if any.The terms also apply to any Sysinternals",
"es-py",
"short",
"uX9^\\",
"5!8Y8",
"api-ms-win-core-processthreads-l1-1-2",
"F4_^[]",
"es-CR",
"2!2'2",
"GetVersionExA",
"You can recover from sysinternals and its suppliers only direct damages up to U.S.$5.00.You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.",
"2 2,2024282<2@2L2P2T2X2",
"Microsoft Time-Stamp PCA 20100",
"quz-EC",
"1#INF",
"\\'b7\\tab rent, lease or lend the software;\\par",
"GetLocaleInfoW",
"__thiscall",
"hong-kong",
"hu-HU",
" Base Class Descriptor at (",
"GetModuleHandleA",
"LCMapStringEx",
".CRT$XTA",
"{\\colortbl ;\\red0\\green0\\blue255;\\red0\\green0\\blue0;}",
"nn-NO",
"<:6`6z7",
"2 2@2\\2`2",
"coclass ",
"ar-OM",
"20210622125524Z",
"en-ie",
"SWt@jU",
"Sysinternals License",
"201215213145Z",
"jAXf;",
"chinese",
"=3=e=w=",
"1$1B1J1k1q1y1",
"ENTIRE AGREEMENT",
"es-EC",
"BC .=",
"tn-za",
"3'3W3",
"da-dk",
"8*9u9",
"6!7C7p7",
"TlsAlloc",
"ar-ae",
",",
" ",
"*Internet - based services,",
"9':<:V:h:",
"F0a0w0",
".?AVpcharNode@@",
"`scalar deleting destructor'",
"r8f;u",
"czech",
"Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z",
"sl-SI",
"SENSITIVE INFORMATION",
"crit certains droits juridiques.Vous pourriez avoir d'autres droits pr",
"Kernel32.dll",
"\\pard\\sb120\\sa120 Elle s'applique \\'e9galement, m\\'eame si Sysinternals connaissait ou devrait conna\\'eetre l'\\'e9ventualit\\'e9 d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit\\'e9 pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas \\'e0 votre \\'e9gard.\\par",
"260708210909Z0~1",
"TlsFree",
";+<0<5u",
"0S0b0p0",
"Microsoft Time-Stamp Service0",
";W;^;",
"FindClose",
"464]455~5",
"8@u(@",
"5$5,545<5D5L5T5\\5d5l5t5|5",
"ar-LB",
"GetSystemTimePreciseAsFileTime",
"gu-IN",
"`dynamic initializer for '",
"fr-mc",
"`unknown ecsu'",
"ar-BH",
"358uE",
"7:8I8)9V;",
" ",
"de-CH",
"i1s1}1",
"<$=J=O=b=r=",
">R?d?",
"spanish-modern",
"1,2024282<2@2D2H2",
"ns-za",
"11x<|<",
"CloseHandle",
"100701213655Z",
"6 696H6e6>7P7i7t7h8~8",
"0-090U0z0",
"6(6H6h6",
"8$u V",
"chinese-singapore",
">!?/?5?P?x?",
"=/===\\=o=~=",
"spanish-ecuador",
"hi-in",
"jg[jG",
"en-JM",
"operator",
"sv-se",
"`local vftable'",
"The software is licensed \"as - is.\" You bear the risk of using it.Sysinternals gives no express warranties, guarantees or conditions.You may have additional consumer rights under your local laws which this agreement cannot change.To the extent permitted under your local laws, sysinternals excludes the implied warranties of merchantability, fitness for a particular purpose and non - infringement.",
"5 5(50585@5H5P5X5`5h5p5x5",
"mr-in",
"DISCLAIMER OF WARRANTY",
"2-2;2A2G2M2S2Y2`2g2n2u2|2",
"&Agree",
" hauteur de 5, 00 $ US.Vous ne pouvez pr",
"GetDateFormatW",
"en-CB",
"< p>",
";T^hWak?Xbl@YcmAZdnB[eoC\\fpD]gq",
"3$303<3H3T3`3l3x3",
"8$u-9",
"_hypot",
".rsrc$02",
"2A2]2k2w2",
"ar-SA",
"The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting .",
"Strings",
"7h7w7",
"+PjUW",
"AppPolicyGetProcessTerminationMethod",
"1!2s2",
"3#3)3",
"for this software, unless other terms accompany those items.If so, those terms apply.",
"%s\\%s",
"Software\\Microsoft\\windows nt\\currentversion",
"restrict(",
"spanish-el salvador",
"`local static thread guard'",
"FreeEnvironmentStringsW",
"LocalFree",
"Microsoft Corporation1200",
"public: ",
"`vector deleting destructor'",
"358}E",
"QEX82q'",
"en-ZW",
"zh-TW",
"process state",
"fr-LU",
"ProductName",
"Remarque : Ce logiciel ",
"2!2'2-23292?2E2K2Q2W2]2c2i2o2u2{2",
"AR>\\>e>v>",
"mi-NZ",
"quation ",
"6Q7w7",
"*rent, lease or lend the software;",
"MM/dd/yy",
"`2Dk\\",
"char32_t",
"SetLastError",
"_logb",
"pl-PL",
",PjVW",
"1,232:2A2a2p2z2",
"O0M0K",
"VerQueryValueA",
"spanish-bolivia",
".idata$2",
"Search for ANSI and Unicode strings in binary images.",
"E0C1)0'",
"1&1?1I1l1v1",
"IsValidLocale",
"FormatMessageA",
"j0Zf;",
" ",
"FindNextFileW",
"384R4^4j4r4",
"2`3d3h3l3p3t3x3|3",
";%;+;5;E;f;",
"jA[f;",
"`vector vbase constructor iterator'",
"ko-kr",
"250701214655Z0|1",
"mk-MK",
"ar-YE",
" au Qu",
"0*0A0b0",
"es-ar",
"std::nullptr_t ",
"*PjTW",
"A1V?c?",
".text",
"jGYf;",
"Shell32.dll",
"VVVVV",
"\\lang1033 Cette limitation concerne :\\par",
"spanish-colombia",
"HeapReAlloc",
"z.9Wv",
"\\pard\\fi-363\\li720\\sb120\\sa120\\'b7\\tab claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.\\par",
"jj^f;",
"\\pard\\fi-357\\li357\\sb120\\sa120\\tx360\\caps\\fs20 10.\\tab\\fs19 Legal Effect.\\b0\\caps0 This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.\\b\\caps\\par",
"FlsAlloc",
"/>7>?>H>u>~>",
"__int128",
"Copyright (C) 1999-2021 Mark Russinovich",
"CorExitProcess",
"4$4,444<4D4L4T4\\4d4l4t4|4",
"1)1H1",
"August",
"* anything related to the software, services, content(including code) on third party Internet sites, or third party programs; and",
"4<4T4o4z4",
"canadian",
"<0=:=C=L=a=j=",
"*reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;",
"APPLICABLE LAW",
"CreateFileW",
"September",
"en-nz",
">!>/>5>C>",
"RATION DE GARANTIE.Le logiciel vis",
"122O2",
"zh-CN",
"spanish-dominican republic",
";E<\\<~<",
"20210622112508.213Z0",
"OutputDebugStringW",
"PWjUR",
"You may install and use any number of copies of the software on your devices.",
"utf-8",
".text$mn",
"COMDLG32.dll",
"PeekConsoleInputA",
"`local vftable constructor closure'",
"6?7E7K7Q7W7]7",
"CLC_ALL",
"`vcall'",
"GetStartupInfoW",
"hy-AM",
"irish-english",
">#>7>",
"se-no",
"Sunday",
"lv-lv",
"FindFirstFileExW",
"is-IS",
"-accepteula",
"667?7\\7b7h7",
"2%3B3",
"0P0z0",
"0$0,040<0D0L0T0\\0d0l0t0|0",
"`local static guard'",
".?AVbad_alloc@std@@",
"? ?@?H?T?",
";4<;http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0",
"GetEnabledXStateFeatures",
"`generic-class-parameter-",
".rdata$CastGuardVftablesA",
" noexcept",
"ta-IN",
"`eh vector copy constructor iterator'",
"=6=i=@>|>",
"LeaveCriticalSection",
"fr-BE",
".idata$4"
],
"virustotal": {
"error": true,
"msg": "VT File lookup disabled in processing.conf"
},
"executed_tools": [
"overlay",
"msi_extract",
"kixtart_extract",
"vbe_extract",
"batch_extract",
"UnAutoIt_extract",
"UPX_unpack",
"RarSFX_extract",
"Inno_extract",
"SevenZip_unpack",
"de4dot_deobfuscate",
"eziriz_deobfuscate",
"office_one"
],
"selfextract": {
"overlay": {
"extracted_files": [
{
"name": "32a9b4fae77dc182ce634c321b6bf2102a9fe53313678e25821d2078e94f62ce",
"path": "/opt/CAPEv2/storage/analyses/13/selfextracted/32a9b4fae77dc182ce634c321b6bf2102a9fe53313678e25821d2078e94f62ce",
"guest_paths": [
"overlay"
],
"size": 9096,
"crc32": "4A650080",
"md5": "3b382f6507fd9d8c12a9e719b3e4d5ff",
"sha1": "548041242648655740967a19dd1214aaba25f73e",
"sha256": "32a9b4fae77dc182ce634c321b6bf2102a9fe53313678e25821d2078e94f62ce",
"sha512": "37af2f3dcd1d509cea601a64ce93f08221ee65b2a93f34a59456b560ff2be3b6db836ec53d9288f3ad6c3a7b9cc0ca0800cf80af9dadd401961fa9a08ee9b701",
"rh_hash": null,
"ssdeep": "192:eWULwu0Sc2HnhWgN7aQWFgoqnajKsXcq:wD/HRN7unlGsXc",
"type": "data",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T1181229D28D6C5843DE9B7C8053ACE853BD3C83D738009066295EFA991DD37C6EB2856D",
"sha3_384": "312113f74e60a85ae1260a51cc71581f2d22e69aca5f4280a85e3cf0477ffb30c02b9067ad353df9bee8a3999bad7a50",
"data": null
}
],
"extracted_files_time": 0.00219647993799299,
"password": ""
}
},
"cape_type_code": 0,
"cape_type": ""
}
},
"CAPE": {
"payloads": [],
"configs": []
},
"info": {
"version": "2.5",
"started": "2026-03-08 09:34:31",
"ended": "2026-03-08 09:36:28",
"duration": 117,
"id": 13,
"category": "file",
"custom": "",
"machine": {
"id": 17,
"status": "stopping",
"name": "win10x64",
"label": "win10x64",
"platform": "windows",
"manager": "KVM",
"started_on": "2026-03-08 09:34:31",
"shutdown_on": "2026-03-08 09:36:27"
},
"package": "exe",
"timeout": false,
"tlp": null,
"parent_sample": null,
"options": {},
"source_url": null,
"route": "none",
"user_id": 0,
"CAPE_current_commit": "a9a0887dab232f52c59e955b9984dd494c47ce6b"
},
"behavior": {
"processes": [
{
"process_id": 6132,
"process_name": "strings.exe",
"parent_id": 7304,
"module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe",
"first_seen": "2026-03-08 06:36:04,553",
"calls": [
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73ed8c37",
"parentcaller": "0x73ed73e7",
"category": "misc",
"api": "HeapCreate",
"status": true,
"return": "0x02550000",
"arguments": [
{
"name": "Options",
"value": "0"
},
{
"name": "InitialSize",
"value": "0x00001000"
},
{
"name": "MaximumSize",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726074f",
"parentcaller": "0x73ed84e1",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNELBASE.DLL"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsAlloc"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7727a5a0"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsGetValue"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77264500"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsSetValue"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7726cb70"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsFree"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7727d630"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77e80857",
"parentcaller": "0x77e8055f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02551000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77e80857",
"parentcaller": "0x77e8055f",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02552000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 7
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726074f",
"parentcaller": "0x73e8e285",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "LPK.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73e70000"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726074f",
"parentcaller": "0x73e8e294",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "KERNEL32"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
}
],
"repeated": 0,
"id": 9
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "ProcessIdToSessionId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad0b90"
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76cbc",
"parentcaller": "0x73e8e2dc",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000068"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 11
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77e93999",
"parentcaller": "0x77e6d7e4",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "$\\xec(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00h\\xec(\\x00N\n'w\\\\xec(\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00&\\x00'\\x00d?\\xd1u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xb5\\x01\\x01\\xa8\\xec(\\x00"
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77e6d817",
"parentcaller": "0x7727b6b7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000028c"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76dfb",
"parentcaller": "0x73e8e2dc",
"category": "misc",
"api": "GetSystemMetrics",
"status": true,
"return": "0x00000400",
"arguments": [
{
"name": "SystemMetricIndex",
"value": "0"
}
],
"repeated": 0,
"id": 14
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76e08",
"parentcaller": "0x73e8e2dc",
"category": "misc",
"api": "GetSystemMetrics",
"status": true,
"return": "0x00000300",
"arguments": [
{
"name": "SystemMetricIndex",
"value": "1"
}
],
"repeated": 0,
"id": 15
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76e3e",
"parentcaller": "0x73e8e2dc",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000029"
},
{
"name": "uiParam",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 16
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76eaf",
"parentcaller": "0x73e8e2dc",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000066"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x73e76ec6",
"parentcaller": "0x73e8e2dc",
"category": "registry",
"api": "RegCloseKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000028c"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77261d96",
"parentcaller": "0x7727ce71",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "imm32.dll"
},
{
"name": "BaseAddress",
"value": "0x774e0000"
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmCreateContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e7770"
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmDestroyContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e77e0"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmNotifyIME"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774ebc30"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmAssociateContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e50e0"
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmReleaseContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e4e80"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmGetContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e3b30"
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmGetCompositionStringA"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e84b0"
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmSetCompositionStringA"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e9050"
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmGetCompositionStringW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e8550"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmSetCompositionStringW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e9080"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x774e0000"
},
{
"name": "FunctionName",
"value": "ImmSetCandidateWindow"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x774e8d60"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x7726978d",
"parentcaller": "0x76acf564",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\\comctl32"
},
{
"name": "BaseAddress",
"value": "0x73e70000"
},
{
"name": "InitRoutine",
"value": "0x73ed7340"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x769fa1a8",
"parentcaller": "0x76a023cd",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\comdlg32"
},
{
"name": "BaseAddress",
"value": "0x769c0000"
},
{
"name": "InitRoutine",
"value": "0x76a02290"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 33
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6036",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 34
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6472",
"caller": "0x77e91c0e",
"parentcaller": "0x77e8dbb1",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000007c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 3,
"id": 35
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4396",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xef\\xbf\\x03\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xef\\xbf\\x03\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4396",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 37
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4396",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6472",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x00@\\xf6\\xaf\\x03\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xffH\\xf6\\xaf\\x03\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6472",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 40
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6472",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6444",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\xc0\\xf5O\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xc8\\xf5O\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6444",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 43
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "6444",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4356",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x88\\x00\\x00\\x000\\xf09\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff8\\xf09\\x02\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4356",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 46
},
{
"timestamp": "2026-03-08 06:36:05,163",
"thread_id": "4356",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d07e",
"parentcaller": "0x0030d105",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-core-synch-l1-2-0"
},
{
"name": "BaseAddress",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d07e",
"parentcaller": "0x0030d105",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x77150000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-core-synch-l1-2-0"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d115",
"parentcaller": "0x0030d2ec",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "InitializeCriticalSectionEx"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77274ce0"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d07e",
"parentcaller": "0x0030d105",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-core-fibers-l1-1-1"
},
{
"name": "BaseAddress",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d07e",
"parentcaller": "0x0030d105",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x77150000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-core-fibers-l1-1-1"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d115",
"parentcaller": "0x0030d1fd",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsAlloc"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7727a5a0"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030d115",
"parentcaller": "0x0030d2ae",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsSetValue"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7726cb70"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-core-synch-l1-2-0"
},
{
"name": "BaseAddress",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x77150000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-core-synch-l1-2-0"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x00329907",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "InitializeCriticalSectionEx"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77274ce0"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-core-fibers-l1-1-1"
},
{
"name": "BaseAddress",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x77150000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-core-fibers-l1-1-1"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x0032963e",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsAlloc"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7727a5a0"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x003296bc",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsGetValue"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77264500"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x003296fb",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "FlsSetValue"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7726cb70"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-core-localization-l1-2-1"
},
{
"name": "BaseAddress",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x77150000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-core-localization-l1-2-1"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x00329157",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNELBASE.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
},
{
"name": "FunctionName",
"value": "LCMapStringEx"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77259f50"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "kernel32"
},
{
"name": "BaseAddress",
"value": "0x76ab0000"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x76ab0000",
"arguments": [
{
"name": "lpLibFileName",
"value": "kernel32"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x00328f35",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "AreFileApisANSI"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ad1d80"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030497a",
"parentcaller": "0x00303eb6",
"category": "hooking",
"api": "SetUnhandledExceptionFilter",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "ExceptionFilter",
"value": "0x0030497e"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019c1",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000002",
"pretty_value": "HKEY_LOCAL_MACHINE"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\Software\\Sysinternals"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019d7",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Sysinternals"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019ef",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals\\Strings"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Sysinternals\\Strings"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x003012f7",
"parentcaller": "0x00301287",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x003012f7",
"parentcaller": "0x00301287",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x003012f7",
"parentcaller": "0x00301287",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00301314",
"parentcaller": "0x00301287",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00301314",
"parentcaller": "0x00301287",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x00301314",
"parentcaller": "0x00301287",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x01\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000100"
},
{
"name": "ValueName",
"value": "000603xx"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "kernel32.dll"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "kernel32.dll"
},
{
"name": "BaseAddress",
"value": "0x76ab0000"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "SortGetHandle"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ace880"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2026-03-08 06:36:05,178",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
},
{
"name": "FunctionName",
"value": "SortCloseHandle"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76ac97e0"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000298"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "1",
"pretty_value": "FILE_SHARE_READ"
},
{
"name": "FileAttributes",
"value": "0x00000080",
"pretty_value": "FILE_ATTRIBUTE_NORMAL"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000029c"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x00000298"
},
{
"name": "FileName",
"value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000029c"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ac0000"
},
{
"name": "SectionOffset",
"value": "0x0028ed2c"
},
{
"name": "ViewSize",
"value": "0x00338000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000029c"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000298"
}
],
"repeated": 0,
"id": 87
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030278c",
"parentcaller": "0x0030131f",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000298"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "\r\nStrings v2.54 - Search for ANSI and Unicode strings in binary images.\r\nCopyright (C) 1999-2021 Mark Russinovich\r\nSysinternals - www.sysinternals.com\r\n\r\n"
},
{
"name": "Length",
"value": "154"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019c1",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000002",
"pretty_value": "HKEY_LOCAL_MACHINE"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\Software\\Sysinternals"
}
],
"repeated": 0,
"id": 90
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019d7",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Sysinternals"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030192b",
"parentcaller": "0x003019ef",
"category": "registry",
"api": "RegOpenKeyExA",
"status": false,
"return": "0x00000002",
"arguments": [
{
"name": "Registry",
"value": "0x80000001",
"pretty_value": "HKEY_CURRENT_USER"
},
{
"name": "SubKey",
"value": "Software\\Sysinternals\\Strings"
},
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\Software\\Sysinternals\\Strings"
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x003020b6",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 93
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x003020b6",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000029c"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\windows nt\\currentversion"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows nt\\currentversion"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x003020e6",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "RegQueryValueExW",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000029c"
},
{
"name": "ValueName",
"value": "ProductName"
},
{
"name": "Data",
"value": "Windows 10 Enterprise"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x00302178",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "RegCloseKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000029c"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x003021b3",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 97
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x003021b3",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels"
}
],
"repeated": 0,
"id": 98
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x00302226",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00762000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 99
},
{
"timestamp": "2026-03-08 06:36:05,194",
"thread_id": "6036",
"caller": "0x0030292f",
"parentcaller": "0x00302237",
"category": "system",
"api": "NtQueryLicenseValue",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Name",
"value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
},
{
"name": "Type",
"value": "0x00000004"
}
],
"repeated": 0,
"id": 100
},
{
"timestamp": "2026-03-08 06:36:05,241",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\USP10"
},
{
"name": "DllBase",
"value": "0x73dc0000"
}
],
"repeated": 0,
"id": 101
},
{
"timestamp": "2026-03-08 06:36:05,257",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\msls31"
},
{
"name": "DllBase",
"value": "0x73d80000"
}
],
"repeated": 0,
"id": 102
},
{
"timestamp": "2026-03-08 06:36:05,257",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\RICHED20"
},
{
"name": "DllBase",
"value": "0x73de0000"
}
],
"repeated": 0,
"id": 103
},
{
"timestamp": "2026-03-08 06:36:05,257",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\Riched32"
},
{
"name": "DllBase",
"value": "0x73e60000"
}
],
"repeated": 0,
"id": 104
},
{
"timestamp": "2026-03-08 06:36:05,288",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "6036"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x772833ec"
}
],
"repeated": 0,
"id": 105
},
{
"timestamp": "2026-03-08 06:36:05,350",
"thread_id": "6036",
"caller": "0x0030295d",
"parentcaller": "0x00302237",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "Riched32.dll"
},
{
"name": "BaseAddress",
"value": "0x73e60000"
}
],
"repeated": 0,
"id": 106
},
{
"timestamp": "2026-03-08 06:36:05,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 107
},
{
"timestamp": "2026-03-08 06:36:05,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 108
},
{
"timestamp": "2026-03-08 06:36:05,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 109
},
{
"timestamp": "2026-03-08 06:36:05,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 110
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 111
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 112
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 113
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00763000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 114
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00768000"
},
{
"name": "RegionSize",
"value": "0x00005000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 115
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 116
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 117
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\uxtheme"
},
{
"name": "DllBase",
"value": "0x745d0000"
}
],
"repeated": 0,
"id": 118
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll"
},
{
"name": "BaseAddress",
"value": "0x745d0000"
}
],
"repeated": 0,
"id": 119
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "uxtheme.dll"
},
{
"name": "ModuleHandle",
"value": "0x745d0000"
},
{
"name": "FunctionName",
"value": "ThemeInitApiHook"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x74604330"
}
],
"repeated": 0,
"id": 120
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "IsDebuggerPresent",
"status": false,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 121
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "8\\xed(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0>`t~\\x98\\x8bB\\xd0\\xed(\\x00\\xe1>`t"
}
],
"repeated": 0,
"id": 122
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 123
},
{
"timestamp": "2026-03-08 06:36:05,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x000002a0"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
}
],
"repeated": 0,
"id": 124
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a4"
},
{
"name": "ValueName",
"value": "AppsUseLightTheme"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "1"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme"
}
],
"repeated": 0,
"id": 125
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 126
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a0"
}
],
"repeated": 0,
"id": 127
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "MSCTF.dll"
}
],
"repeated": 0,
"id": 128
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76ba0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x000d4000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 129
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 130
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 131
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 132
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c64000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 133
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 134
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c64000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 135
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "35"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00E\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x00i\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\x002\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00"
}
],
"repeated": 0,
"id": 136
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 137
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 138
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 139
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\System32\\MSCTF.dll"
}
],
"repeated": 0,
"id": 140
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\msctf.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 141
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 142
},
{
"timestamp": "2026-03-08 06:36:05,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\MSCTF"
},
{
"name": "DllBase",
"value": "0x76ba0000"
}
],
"repeated": 0,
"id": 143
},
{
"timestamp": "2026-03-08 06:36:05,428",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\msctf"
},
{
"name": "BaseAddress",
"value": "0x76ba0000"
},
{
"name": "InitRoutine",
"value": "0x76bee040"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 144
},
{
"timestamp": "2026-03-08 06:36:05,428",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 145
},
{
"timestamp": "2026-03-08 06:36:05,428",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 146
},
{
"timestamp": "2026-03-08 06:36:05,428",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 147
},
{
"timestamp": "2026-03-08 06:36:05,444",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 148
},
{
"timestamp": "2026-03-08 06:36:05,444",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 149
},
{
"timestamp": "2026-03-08 06:36:05,444",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 150
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x00000004"
},
{
"name": "ObjectAttributes",
"value": "\\Sessions\\1\\Windows\\ThemeSection"
}
],
"repeated": 0,
"id": 151
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00680000"
},
{
"name": "SectionOffset",
"value": "0x0028e214"
},
{
"name": "ViewSize",
"value": "0x00001000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 152
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00000004"
},
{
"name": "ObjectAttributes",
"value": "\\Windows\\Theme3753190323"
}
],
"repeated": 0,
"id": 153
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002ac"
},
{
"name": "DesiredAccess",
"value": "0x00000004"
},
{
"name": "ObjectAttributes",
"value": "\\Sessions\\1\\Windows\\Theme4068553709"
}
],
"repeated": 0,
"id": 154
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtUnmapViewOfSectionEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00680000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Flags",
"value": "0"
}
],
"repeated": 0,
"id": 155
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 156
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ef0000"
},
{
"name": "SectionOffset",
"value": "0x0028e8a0"
},
{
"name": "ViewSize",
"value": "0x000e2000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 157
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002ac"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00680000"
},
{
"name": "SectionOffset",
"value": "0x0028e8a0"
},
{
"name": "ViewSize",
"value": "0x00004000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 158
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 159
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlRegisterFeatureConfigurationChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e724f0"
}
],
"repeated": 0,
"id": 160
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "NtQueryWnfStateData"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eb40c0"
}
],
"repeated": 0,
"id": 161
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlSubscribeWnfStateChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e70780"
}
],
"repeated": 0,
"id": 162
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDisownModuleHeapAllocation"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eac2a0"
}
],
"repeated": 0,
"id": 163
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ea52e0"
}
],
"repeated": 0,
"id": 164
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 165
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x40000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:168:WilStaging_02"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 166
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 167
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 168
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b0"
},
{
"name": "Milliseconds",
"value": "0"
}
],
"repeated": 0,
"id": 169
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b0"
}
],
"repeated": 0,
"id": 170
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 1,
"id": 171
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
}
],
"repeated": 0,
"id": 172
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b0"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
}
],
"repeated": 0,
"id": 173
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b0"
},
{
"name": "ValueName",
"value": "Latest"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
}
],
"repeated": 0,
"id": 174
},
{
"timestamp": "2026-03-08 06:36:05,538",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b0"
}
],
"repeated": 0,
"id": 175
},
{
"timestamp": "2026-03-08 06:36:05,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b0"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\USER32.dll.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 176
},
{
"timestamp": "2026-03-08 06:36:05,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002b0"
},
{
"name": "FileName",
"value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\user32.dll.mui"
}
],
"repeated": 0,
"id": 177
},
{
"timestamp": "2026-03-08 06:36:05,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002b4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00720000"
},
{
"name": "SectionOffset",
"value": "0x0028e1c0"
},
{
"name": "ViewSize",
"value": "0x00008000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 178
},
{
"timestamp": "2026-03-08 06:36:05,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 179
},
{
"timestamp": "2026-03-08 06:36:05,616",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 180
},
{
"timestamp": "2026-03-08 06:36:05,616",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 181
},
{
"timestamp": "2026-03-08 06:36:05,616",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ee1000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 182
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 183
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "p\\xd5(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x02s\\x00w8t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xec(\\x00\\x00\\xae\\xebw\\xe3h\\xc36"
}
],
"repeated": 0,
"id": 184
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 185
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 186
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 187
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "ScrollInset"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset"
}
],
"repeated": 0,
"id": 188
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 189
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "p\\xd5(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x9c\\x8ds\\x00\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x02s\\x00w8t\\x00p8t\\x00\\x00\\x00\\x00\\x00(\\xec(\\x00\\x00\\xae\\xebw\\xe3h\\xc36"
}
],
"repeated": 0,
"id": 190
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 191
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 192
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 193
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "DragDelay"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay"
}
],
"repeated": 0,
"id": 194
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 195
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "p\\xd5(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x9c\\x8ds\\x00\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x02s\\x00w8t\\x00p8t\\x00\\x00\\x00\\x00\\x00(\\xec(\\x00\\x00\\xae\\xebw\\xe3h\\xc36"
}
],
"repeated": 0,
"id": 196
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 197
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 198
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 199
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "DragMinDist"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist"
}
],
"repeated": 0,
"id": 200
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 201
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "p\\xd5(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x9c\\x8ds\\x00\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x02s\\x00w8t\\x00p8t\\x00\\x00\\x00\\x00\\x00(\\xec(\\x00\\x00\\xae\\xebw\\xe3h\\xc36"
}
],
"repeated": 0,
"id": 202
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 203
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 204
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 205
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "ScrollDelay"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay"
}
],
"repeated": 0,
"id": 206
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 207
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "p\\xd5(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x9c\\x8ds\\x00\\x7f\\x00\\x00\\x00p\\x02s\\x00a\\x00\\x00\\x00\\x02\\x00\\x00\\x00w8t\\x00p8t\\x00\\x00\\x00\\x00\\x00(\\xec(\\x00\\x00\\xae\\xebw\\xe3h\\xc36"
}
],
"repeated": 0,
"id": 208
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 209
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 210
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 211
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "ScrollInterval"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval"
}
],
"repeated": 0,
"id": 212
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 213
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\win.ini"
}
],
"repeated": 0,
"id": 214
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x80100000",
"pretty_value": "GENERIC_READ|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\win.ini"
},
{
"name": "ShareAccess",
"value": "7",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 215
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "HandleName",
"value": "C:\\Windows\\win.ini"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 216
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04fe0000"
},
{
"name": "RegionSize",
"value": "0x00101000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 217
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04fe0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 218
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "HandleName",
"value": "C:\\Windows\\win.ini"
},
{
"name": "Buffer",
"value": "; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1\r\n"
},
{
"name": "Length",
"value": "92"
}
],
"repeated": 0,
"id": 219
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04fe0000"
},
{
"name": "RegionSize",
"value": "0x00101000"
},
{
"name": "FreeType",
"value": "0x00008000"
}
],
"repeated": 0,
"id": 220
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 221
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x00000008"
},
{
"name": "TokenHandle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 222
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "10"
},
{
"name": "TokenInformation",
"value": "\\xee\\xd6\\x10\\x00\\x00\\x00\\x00\\x00\\xcc\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa6\\x04\\x0f\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 223
},
{
"timestamp": "2026-03-08 06:36:05,632",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 224
},
{
"timestamp": "2026-03-08 06:36:05,647",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemDefaultLangID",
"status": true,
"return": "0x00750419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00750419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 225
},
{
"timestamp": "2026-03-08 06:36:05,678",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 226
},
{
"timestamp": "2026-03-08 06:36:05,678",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 227
},
{
"timestamp": "2026-03-08 06:36:05,678",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 228
},
{
"timestamp": "2026-03-08 06:36:05,678",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 229
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 230
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0076d000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 231
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ee2000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 232
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ee4000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 233
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b8"
},
{
"name": "DesiredAccess",
"value": "0x00000009",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 234
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b8"
},
{
"name": "ValueName",
"value": "ResourcePolicies"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
}
],
"repeated": 0,
"id": 235
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b8"
}
],
"repeated": 0,
"id": 236
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02510000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 237
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02510000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 238
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b8"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 239
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b8"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 240
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b8"
}
],
"repeated": 0,
"id": 241
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll.Config"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 242
},
{
"timestamp": "2026-03-08 06:36:05,694",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b8"
},
{
"name": "DesiredAccess",
"value": "0x00120089",
"pretty_value": "FILE_GENERIC_READ"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 243
},
{
"timestamp": "2026-03-08 06:36:05,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "6036"
},
{
"name": "Module",
"value": "KERNEL32.DLL"
},
{
"name": "Return Address",
"value": "0x76ad24ac"
}
],
"repeated": 0,
"id": 244
},
{
"timestamp": "2026-03-08 06:36:05,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b8"
}
],
"repeated": 0,
"id": 245
},
{
"timestamp": "2026-03-08 06:36:05,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00000008",
"pretty_value": "KEY_ENUMERATE_SUB_KEYS"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots"
}
],
"repeated": 0,
"id": 246
},
{
"timestamp": "2026-03-08 06:36:05,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe.Local\\"
}
],
"repeated": 0,
"id": 247
},
{
"timestamp": "2026-03-08 06:36:05,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b8"
},
{
"name": "DesiredAccess",
"value": "0x00100020",
"pretty_value": "FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984"
},
{
"name": "ShareAccess",
"value": "3",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
}
],
"repeated": 0,
"id": 248
},
{
"timestamp": "2026-03-08 06:36:05,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32.dll"
}
],
"repeated": 0,
"id": 249
},
{
"timestamp": "2026-03-08 06:36:05,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 250
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000023c"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "FileName",
"value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32.dll"
}
],
"repeated": 0,
"id": 251
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x0000023c"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b70000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00210000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 252
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d20000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 253
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 254
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 255
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d1b000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 256
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d1b000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 257
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "35"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00"
}
],
"repeated": 0,
"id": 258
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000023c"
}
],
"repeated": 0,
"id": 259
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 260
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 261
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 262
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 263
},
{
"timestamp": "2026-03-08 06:36:05,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32"
},
{
"name": "DllBase",
"value": "0x73b70000"
}
],
"repeated": 0,
"id": 264
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0076f000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 265
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002bc"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Windows\\WindowsShell.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 266
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c0"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002bc"
},
{
"name": "FileName",
"value": "C:\\Windows\\WindowsShell.Manifest"
}
],
"repeated": 0,
"id": 267
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c0"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00001000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 268
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 269
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 270
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 0,
"id": 271
},
{
"timestamp": "2026-03-08 06:36:05,882",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002bc"
},
{
"name": "HandleName",
"value": "C:\\Windows\\WindowsShell.Manifest"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 272
},
{
"timestamp": "2026-03-08 06:36:05,897",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "6036"
},
{
"name": "Module",
"value": "KERNEL32.DLL"
},
{
"name": "Return Address",
"value": "0x76ad24ac"
}
],
"repeated": 0,
"id": 273
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002bc"
}
],
"repeated": 0,
"id": 274
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c0"
}
],
"repeated": 0,
"id": 275
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "RegionSize",
"value": "0x00001000"
}
],
"repeated": 0,
"id": 276
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtAddAtomEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "AtomName",
"value": "ThemePropScrollBarCtl"
},
{
"name": "Atom",
"value": "0x0000c021"
}
],
"repeated": 0,
"id": 277
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtAddAtomEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "AtomName",
"value": "MicrosoftTabletPenServiceProperty"
},
{
"name": "Atom",
"value": "0x0000c022"
}
],
"repeated": 0,
"id": 278
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00001022"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 279
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "LPK"
},
{
"name": "ModuleHandle",
"value": "0x0049414e"
}
],
"repeated": 0,
"id": 280
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "GDI32"
},
{
"name": "ModuleHandle",
"value": "0x76a80000"
}
],
"repeated": 0,
"id": 281
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "ModuleHandle",
"value": "0x76a80000"
},
{
"name": "FunctionName",
"value": "LpkEditControl"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76a9c440"
}
],
"repeated": 0,
"id": 282
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32"
},
{
"name": "BaseAddress",
"value": "0x73b70000"
},
{
"name": "InitRoutine",
"value": "0x73bf54e0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 283
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "HIMAGELIST_QueryInterface"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73bcee70"
}
],
"repeated": 0,
"id": 284
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "DrawShadowText"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73c38500"
}
],
"repeated": 0,
"id": 285
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "DrawSizeBox"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73be6db0"
}
],
"repeated": 0,
"id": 286
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "DrawScrollBar"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73be7780"
}
],
"repeated": 0,
"id": 287
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "SizeBoxHwnd"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73bea240"
}
],
"repeated": 0,
"id": 288
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "ScrollBar_MouseMove"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73c30df0"
}
],
"repeated": 0,
"id": 289
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "ScrollBar_Menu"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73c30c30"
}
],
"repeated": 0,
"id": 290
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "HandleScrollCmd"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73c30ba0"
}
],
"repeated": 0,
"id": 291
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "DetachScrollBars"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73be6f40"
}
],
"repeated": 0,
"id": 292
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "AttachScrollBars"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73be6f20"
}
],
"repeated": 0,
"id": 293
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "CCSetScrollInfo"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73be8190"
}
],
"repeated": 0,
"id": 294
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "CCGetScrollInfo"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73bec220"
}
],
"repeated": 0,
"id": 295
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "CCEnableScrollBar"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73ba55e0"
}
],
"repeated": 0,
"id": 296
},
{
"timestamp": "2026-03-08 06:36:05,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x73b70000"
},
{
"name": "FunctionName",
"value": "QuerySystemGestureStatus"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x73c30be0"
}
],
"repeated": 0,
"id": 297
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d20000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 298
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d20000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 299
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000042"
},
{
"name": "uiParam",
"value": "0x0000000c"
}
],
"repeated": 1,
"id": 300
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 301
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 302
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00772000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 303
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x0032a0f6",
"parentcaller": "0x003016dd",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00774000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 304
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 305
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "0"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 306
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 307
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent"
}
],
"repeated": 0,
"id": 308
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent"
}
],
"repeated": 0,
"id": 309
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 310
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "1"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 311
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 312
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold"
}
],
"repeated": 0,
"id": 313
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial Bold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold"
}
],
"repeated": 0,
"id": 314
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 315
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "2"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 316
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 317
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0"
}
],
"repeated": 0,
"id": 318
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial Bold,178"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0"
}
],
"repeated": 0,
"id": 319
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 320
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "3"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 321
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 322
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0"
}
],
"repeated": 0,
"id": 323
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,178"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0"
}
],
"repeated": 0,
"id": 324
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 325
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "4"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 326
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 327
},
{
"timestamp": "2026-03-08 06:36:05,975",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186"
}
],
"repeated": 0,
"id": 328
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186"
}
],
"repeated": 0,
"id": 329
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 330
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "5"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 331
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 332
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238"
}
],
"repeated": 0,
"id": 333
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238"
}
],
"repeated": 0,
"id": 334
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 335
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "6"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 336
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 337
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CYR,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204"
}
],
"repeated": 0,
"id": 338
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CYR,204"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204"
}
],
"repeated": 0,
"id": 339
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 340
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "7"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 341
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 342
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Greek,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161"
}
],
"repeated": 0,
"id": 343
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Greek,161"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161"
}
],
"repeated": 0,
"id": 344
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 345
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "8"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 346
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 347
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial TUR,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162"
}
],
"repeated": 0,
"id": 348
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial TUR,162"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162"
}
],
"repeated": 0,
"id": 349
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 350
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "9"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 351
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 352
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186"
}
],
"repeated": 0,
"id": 353
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186"
}
],
"repeated": 0,
"id": 354
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 355
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "10"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 356
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 357
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238"
}
],
"repeated": 0,
"id": 358
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238"
}
],
"repeated": 0,
"id": 359
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 360
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "11"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 361
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 362
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CYR,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204"
}
],
"repeated": 0,
"id": 363
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CYR,204"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204"
}
],
"repeated": 0,
"id": 364
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 365
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "12"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 366
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 367
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Greek,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161"
}
],
"repeated": 0,
"id": 368
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Greek,161"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161"
}
],
"repeated": 0,
"id": 369
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 370
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "13"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 371
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 372
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New TUR,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162"
}
],
"repeated": 0,
"id": 373
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New TUR,162"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162"
}
],
"repeated": 0,
"id": 374
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 375
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "14"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 376
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 377
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv"
}
],
"repeated": 0,
"id": 378
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Sans Serif"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv"
}
],
"repeated": 0,
"id": 379
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 380
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "15"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 381
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 382
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helvetica"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica"
}
],
"repeated": 0,
"id": 383
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helvetica"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica"
}
],
"repeated": 0,
"id": 384
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 385
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "16"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 386
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 387
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg 2"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2"
}
],
"repeated": 0,
"id": 388
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg 2"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Tahoma"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2"
}
],
"repeated": 0,
"id": 389
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 390
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "17"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 391
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 392
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tahoma Armenian"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian"
}
],
"repeated": 0,
"id": 393
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tahoma Armenian"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Tahoma"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian"
}
],
"repeated": 0,
"id": 394
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 395
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "18"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 396
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 397
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times"
}
],
"repeated": 0,
"id": 398
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times"
}
],
"repeated": 0,
"id": 399
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 400
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "19"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 401
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 402
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186"
}
],
"repeated": 0,
"id": 403
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186"
}
],
"repeated": 0,
"id": 404
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 405
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "20"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 406
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 407
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238"
}
],
"repeated": 0,
"id": 408
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238"
}
],
"repeated": 0,
"id": 409
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 410
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c8"
}
],
"repeated": 0,
"id": 411
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 412
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "0"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 413
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 414
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent"
}
],
"repeated": 0,
"id": 415
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent"
}
],
"repeated": 0,
"id": 416
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 417
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "1"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 418
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 419
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold"
}
],
"repeated": 0,
"id": 420
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial Bold"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold"
}
],
"repeated": 0,
"id": 421
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 422
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "2"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 423
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 424
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0"
}
],
"repeated": 0,
"id": 425
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent Bold,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial Bold,178"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0"
}
],
"repeated": 0,
"id": 426
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 427
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "3"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 428
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 429
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0"
}
],
"repeated": 0,
"id": 430
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arabic Transparent,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,178"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0"
}
],
"repeated": 0,
"id": 431
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 432
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "4"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 433
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 434
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186"
}
],
"repeated": 0,
"id": 435
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186"
}
],
"repeated": 0,
"id": 436
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 437
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "5"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 438
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 439
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238"
}
],
"repeated": 0,
"id": 440
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238"
}
],
"repeated": 0,
"id": 441
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 442
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "6"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 443
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 444
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CYR,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204"
}
],
"repeated": 0,
"id": 445
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial CYR,204"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204"
}
],
"repeated": 0,
"id": 446
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 447
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "7"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 448
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 449
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Greek,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161"
}
],
"repeated": 0,
"id": 450
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Greek,161"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161"
}
],
"repeated": 0,
"id": 451
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 452
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "8"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 453
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 454
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial TUR,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162"
}
],
"repeated": 0,
"id": 455
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial TUR,162"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162"
}
],
"repeated": 0,
"id": 456
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 457
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "9"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 458
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 459
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186"
}
],
"repeated": 0,
"id": 460
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186"
}
],
"repeated": 0,
"id": 461
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 462
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "10"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 463
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 464
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238"
}
],
"repeated": 0,
"id": 465
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238"
}
],
"repeated": 0,
"id": 466
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 467
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "11"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 468
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 469
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CYR,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204"
}
],
"repeated": 0,
"id": 470
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New CYR,204"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204"
}
],
"repeated": 0,
"id": 471
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 472
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "12"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 473
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 474
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Greek,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161"
}
],
"repeated": 0,
"id": 475
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Greek,161"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161"
}
],
"repeated": 0,
"id": 476
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 477
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "13"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 478
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 479
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New TUR,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162"
}
],
"repeated": 0,
"id": 480
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New TUR,162"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162"
}
],
"repeated": 0,
"id": 481
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 482
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "14"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 483
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 484
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv"
}
],
"repeated": 0,
"id": 485
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Sans Serif"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv"
}
],
"repeated": 0,
"id": 486
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 487
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "15"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 488
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 489
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helvetica"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica"
}
],
"repeated": 0,
"id": 490
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helvetica"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica"
}
],
"repeated": 0,
"id": 491
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 492
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "16"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 493
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 494
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg 2"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2"
}
],
"repeated": 0,
"id": 495
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg 2"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Tahoma"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2"
}
],
"repeated": 0,
"id": 496
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 497
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "17"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 498
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 499
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tahoma Armenian"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian"
}
],
"repeated": 0,
"id": 500
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tahoma Armenian"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Tahoma"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian"
}
],
"repeated": 0,
"id": 501
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 502
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "18"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 503
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 504
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times"
}
],
"repeated": 0,
"id": 505
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times"
}
],
"repeated": 0,
"id": 506
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 507
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "19"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 508
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 509
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Baltic,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186"
}
],
"repeated": 0,
"id": 510
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Baltic,186"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,186"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186"
}
],
"repeated": 0,
"id": 511
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 512
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "20"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 513
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 514
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CE,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238"
}
],
"repeated": 0,
"id": 515
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CE,238"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,238"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238"
}
],
"repeated": 0,
"id": 516
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 517
},
{
"timestamp": "2026-03-08 06:36:05,991",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "21"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 518
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 519
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CYR,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204"
}
],
"repeated": 0,
"id": 520
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman CYR,204"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204"
}
],
"repeated": 0,
"id": 521
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 522
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "22"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 523
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 524
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Greek,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161"
}
],
"repeated": 0,
"id": 525
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Greek,161"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,161"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161"
}
],
"repeated": 0,
"id": 526
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 527
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "23"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 528
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 529
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman TUR,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162"
}
],
"repeated": 0,
"id": 530
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman TUR,162"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,162"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162"
}
],
"repeated": 0,
"id": 531
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 532
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "24"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 533
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 534
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tms Rmn"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn"
}
],
"repeated": 0,
"id": 535
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tms Rmn"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Serif"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn"
}
],
"repeated": 0,
"id": 536
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 537
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "25"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 538
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 539
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg"
}
],
"repeated": 0,
"id": 540
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Shell Dlg"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Microsoft Sans Serif"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg"
}
],
"repeated": 0,
"id": 541
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 542
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "26"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 543
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 544
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "System,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0"
}
],
"repeated": 0,
"id": 545
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "System,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "System,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0"
}
],
"repeated": 0,
"id": 546
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 547
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "27"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 548
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 549
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Fixedsys,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0"
}
],
"repeated": 0,
"id": 550
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Fixedsys,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Fixedsys,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0"
}
],
"repeated": 0,
"id": 551
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 552
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "28"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 553
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 554
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Small Fonts,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0"
}
],
"repeated": 0,
"id": 555
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Small Fonts,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Small Fonts,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0"
}
],
"repeated": 0,
"id": 556
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 557
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "29"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 558
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 559
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Serif,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0"
}
],
"repeated": 0,
"id": 560
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Serif,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Serif,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0"
}
],
"repeated": 0,
"id": 561
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 562
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "30"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 563
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 564
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Sans Serif,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0"
}
],
"repeated": 0,
"id": 565
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "MS Sans Serif,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Sans Serif,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0"
}
],
"repeated": 0,
"id": 566
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 567
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "31"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 568
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 569
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0"
}
],
"repeated": 0,
"id": 570
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0"
}
],
"repeated": 0,
"id": 571
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 572
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "32"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 573
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 574
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Cyr,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0"
}
],
"repeated": 0,
"id": 575
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Arial Cyr,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Arial,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0"
}
],
"repeated": 0,
"id": 576
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 577
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "33"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 578
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 579
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Cyr,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0"
}
],
"repeated": 0,
"id": 580
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Courier New Cyr,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Courier New,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0"
}
],
"repeated": 0,
"id": 581
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 582
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "34"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 583
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 584
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Cyr,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0"
}
],
"repeated": 0,
"id": 585
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Times New Roman Cyr,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "Times New Roman,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0"
}
],
"repeated": 0,
"id": 586
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 587
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "35"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 588
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 589
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0"
}
],
"repeated": 0,
"id": 590
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Helv,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Sans Serif,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0"
}
],
"repeated": 0,
"id": 591
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 592
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "36"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 593
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "DesiredAccess",
"value": "0x80000000",
"pretty_value": "0x80000000"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
}
],
"repeated": 0,
"id": 594
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tms Rmn,0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0"
}
],
"repeated": 0,
"id": 595
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002cc"
},
{
"name": "ValueName",
"value": "Tms Rmn,0"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "MS Serif,204"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0"
}
],
"repeated": 0,
"id": 596
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 597
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff8000001a",
"pretty_return": "NO_MORE_ENTRIES",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c8"
},
{
"name": "Index",
"value": "37"
},
{
"name": "KeyValueInformationClass",
"value": "0"
}
],
"repeated": 0,
"id": 598
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c8"
}
],
"repeated": 0,
"id": 599
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00777000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 600
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00779000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 601
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077a000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 602
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077c000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 603
},
{
"timestamp": "2026-03-08 06:36:06,007",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077f000"
},
{
"name": "RegionSize",
"value": "0x00004000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 604
},
{
"timestamp": "2026-03-08 06:36:06,038",
"thread_id": "6036",
"caller": "0x003017c6",
"parentcaller": "0x003023f0",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000042"
},
{
"name": "uiParam",
"value": "0x0000000c"
}
],
"repeated": 0,
"id": 605
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 606
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 607
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 608
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c8"
}
],
"repeated": 0,
"id": 609
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002cc"
}
],
"repeated": 0,
"id": 610
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 611
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\strings.exe"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\strings.exe"
}
],
"repeated": 0,
"id": 612
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 613
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 614
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\system32\\rpcss.dll"
},
{
"name": "ModuleHandle",
"value": "0x0000001e"
}
],
"repeated": 0,
"id": 615
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "NtQuerySystemInformation",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SystemInformationClass",
"value": "0",
"pretty_value": "FILE_SUPERSEDE"
}
],
"repeated": 0,
"id": 616
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "kernel.appcore.dll"
}
],
"repeated": 0,
"id": 617
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\kernel.appcore.dll"
}
],
"repeated": 0,
"id": 618
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002c0"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\kernel.appcore.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 619
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002bc"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002c0"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\kernel.appcore.dll"
}
],
"repeated": 0,
"id": 620
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002bc"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x75250000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0000f000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 621
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7525c000"
},
{
"name": "ModuleName",
"value": "kernel.appcore.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 622
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 623
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 624
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x75259000"
},
{
"name": "ModuleName",
"value": "kernel.appcore.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 625
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002bc"
}
],
"repeated": 0,
"id": 626
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c0"
}
],
"repeated": 0,
"id": 627
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x75259000"
},
{
"name": "ModuleName",
"value": "kernel.appcore.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 628
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 629
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 630
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 631
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\SYSTEM32\\kernel.appcore.dll"
}
],
"repeated": 0,
"id": 632
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002c0"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\kernel.appcore.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 633
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c0"
}
],
"repeated": 0,
"id": 634
},
{
"timestamp": "2026-03-08 06:36:06,053",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\kernel.appcore"
},
{
"name": "DllBase",
"value": "0x75250000"
}
],
"repeated": 0,
"id": 635
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0xffffffffbcfba401",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel.appcore"
},
{
"name": "BaseAddress",
"value": "0x75250000"
},
{
"name": "InitRoutine",
"value": "0x752547e0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 636
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 637
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 638
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d0"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "bcryptPrimitives.dll"
}
],
"repeated": 0,
"id": 639
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002d0"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76d80000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0005f000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 640
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 641
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 642
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76dda000"
},
{
"name": "ModuleName",
"value": "bcryptPrimitives.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 643
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d0"
}
],
"repeated": 0,
"id": 644
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76dda000"
},
{
"name": "ModuleName",
"value": "bcryptPrimitives.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 645
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 646
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 647
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 648
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\System32\\bcryptPrimitives.dll"
}
],
"repeated": 0,
"id": 649
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002d0"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\bcryptPrimitives.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 650
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d0"
}
],
"repeated": 0,
"id": 651
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\bcryptPrimitives"
},
{
"name": "DllBase",
"value": "0x76d80000"
}
],
"repeated": 0,
"id": 652
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
}
],
"repeated": 0,
"id": 653
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "ValueName",
"value": "STE"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE"
}
],
"repeated": 0,
"id": 654
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 0,
"id": 655
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
}
],
"repeated": 0,
"id": 656
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "ValueName",
"value": "Enabled"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Information",
"value": "0"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled"
}
],
"repeated": 0,
"id": 657
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa"
}
],
"repeated": 0,
"id": 658
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002b4"
},
{
"name": "ValueName",
"value": "FipsAlgorithmPolicy"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy"
}
],
"repeated": 0,
"id": 659
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002c4"
},
{
"name": "ValueName",
"value": "MDMEnabled"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled"
}
],
"repeated": 0,
"id": 660
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 0,
"id": 661
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 662
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
}
],
"repeated": 0,
"id": 663
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002b4"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "\\Device\\CNG"
},
{
"name": "ShareAccess",
"value": "7",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 664
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "device",
"api": "DeviceIoControl",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DeviceHandle",
"value": "0x000002b4"
},
{
"name": "IoControlCode",
"value": "0x00390008",
"pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER"
},
{
"name": "InBuffer",
"value": ""
},
{
"name": "OutBuffer",
"value": "%\\xd6\\xa2S\\xdf\\xff\\xaeI\\xc7d}d\\xd0R\\x9b\\x8b}\\xa1\\xabe\\xe4w\\xb0\\xcdK\\Ahl\\xdc\\xdd\\xf4\\xad\\xc3\\xbdR\\xd7\\x1e\\x01\\x1cto\\xd7H\\x16;5\\xd9"
}
],
"repeated": 0,
"id": 665
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\bcryptprimitives"
},
{
"name": "BaseAddress",
"value": "0x76d80000"
},
{
"name": "InitRoutine",
"value": "0x76db36c0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 666
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x769b1000"
},
{
"name": "ModuleName",
"value": "RPCRT4.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 667
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x769b1000"
},
{
"name": "ModuleName",
"value": "RPCRT4.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 668
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00783000"
},
{
"name": "RegionSize",
"value": "0x00004000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 669
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 670
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 671
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 672
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x774fd000"
},
{
"name": "ModuleName",
"value": "IMM32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 673
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 0,
"id": 674
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 675
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "ChangeWindowMessageFilter",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "message",
"value": "49238"
},
{
"name": "dwFlag",
"value": "1"
}
],
"repeated": 0,
"id": 676
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "ChangeWindowMessageFilter",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "message",
"value": "49239"
},
{
"name": "dwFlag",
"value": "1"
}
],
"repeated": 0,
"id": 677
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 678
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 1,
"id": 679
},
{
"timestamp": "2026-03-08 06:36:06,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 680
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
},
{
"name": "MutexName",
"value": "Local\\MSCTF.Asm.MutexDefault1"
}
],
"repeated": 0,
"id": 681
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 682
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
},
{
"name": "Milliseconds",
"value": "2000"
}
],
"repeated": 0,
"id": 683
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c4"
},
{
"name": "DesiredAccess",
"value": "0x00000004"
},
{
"name": "ObjectAttributes",
"value": "Local\\CTF.AsmListCache.FMPDefault1"
}
],
"repeated": 0,
"id": 684
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002c4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "SectionOffset",
"value": "0x0028dd2c"
},
{
"name": "ViewSize",
"value": "0x00001000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 685
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtUnmapViewOfSectionEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Flags",
"value": "0"
}
],
"repeated": 0,
"id": 686
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c4"
}
],
"repeated": 0,
"id": 687
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 1,
"id": 688
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 689
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\strings.exe"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\strings.exe"
}
],
"repeated": 0,
"id": 690
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 1,
"id": 691
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetSystemMetrics",
"status": false,
"return": "0x00000000",
"arguments": [
{
"name": "SystemMetricIndex",
"value": "8192"
}
],
"repeated": 0,
"id": 692
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
},
{
"name": "MutexName",
"value": "CicLoadWinStaWinSta0"
}
],
"repeated": 0,
"id": 693
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 694
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
},
{
"name": "MutexName",
"value": "Local\\MSCTF.CtfMonitorInstMutexDefault1"
}
],
"repeated": 0,
"id": 695
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001f4"
}
],
"repeated": 0,
"id": 696
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 697
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d4"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
}
],
"repeated": 0,
"id": 698
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002d4"
},
{
"name": "ValueName",
"value": "LaunchUserOOBE"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE"
}
],
"repeated": 0,
"id": 699
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d4"
}
],
"repeated": 0,
"id": 700
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 701
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 702
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "29"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 703
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 704
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlRegisterFeatureConfigurationChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e724f0"
}
],
"repeated": 0,
"id": 705
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "NtQueryWnfStateData"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eb40c0"
}
],
"repeated": 0,
"id": 706
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlSubscribeWnfStateChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e70780"
}
],
"repeated": 0,
"id": 707
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDisownModuleHeapAllocation"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eac2a0"
}
],
"repeated": 0,
"id": 708
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ea52e0"
}
],
"repeated": 0,
"id": 709
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 710
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x40000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002e8"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:168:WilStaging_02"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 711
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002e8"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 712
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 713
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
},
{
"name": "Milliseconds",
"value": "0"
}
],
"repeated": 0,
"id": 714
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 715
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002e8"
}
],
"repeated": 1,
"id": 716
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "textinputframework.dll"
}
],
"repeated": 0,
"id": 717
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\textinputframework.dll"
}
],
"repeated": 0,
"id": 718
},
{
"timestamp": "2026-03-08 06:36:06,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\textinputframework.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 719
},
{
"timestamp": "2026-03-08 06:36:06,100",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f0"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\TextInputFramework.dll"
}
],
"repeated": 0,
"id": 720
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f0"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73ab0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x000b9000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 721
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 722
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 723
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 724
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5c000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 725
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "CoreUIComponents.dll"
}
],
"repeated": 0,
"id": 726
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "CoreMessaging.dll"
}
],
"repeated": 0,
"id": 727
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f0"
}
],
"repeated": 0,
"id": 728
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 729
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreUIComponents.dll"
}
],
"repeated": 0,
"id": 730
},
{
"timestamp": "2026-03-08 06:36:06,116",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreUIComponents.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 731
},
{
"timestamp": "2026-03-08 06:36:06,132",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f0"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\CoreUIComponents.dll"
}
],
"repeated": 0,
"id": 732
},
{
"timestamp": "2026-03-08 06:36:06,132",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f0"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73830000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0027e000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 733
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73a4a000"
},
{
"name": "ModuleName",
"value": "CoreUIComponents.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 734
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 735
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 736
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7399d000"
},
{
"name": "ModuleName",
"value": "CoreUIComponents.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 737
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "ntmarta.dll"
}
],
"repeated": 0,
"id": 738
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "CoreMessaging.dll"
}
],
"repeated": 0,
"id": 739
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "wintypes.dll"
}
],
"repeated": 2,
"id": 740
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f0"
}
],
"repeated": 0,
"id": 741
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 742
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreMessaging.dll"
}
],
"repeated": 0,
"id": 743
},
{
"timestamp": "2026-03-08 06:36:06,147",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreMessaging.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 744
},
{
"timestamp": "2026-03-08 06:36:06,163",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\CoreMessaging.dll"
}
],
"repeated": 0,
"id": 745
},
{
"timestamp": "2026-03-08 06:36:06,163",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73790000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x0009b000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 746
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 747
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 748
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 749
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x737f6000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 750
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f8"
}
],
"repeated": 0,
"id": 751
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 752
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ntmarta.dll"
}
],
"repeated": 0,
"id": 753
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ntmarta.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 754
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\ntmarta.dll"
}
],
"repeated": 0,
"id": 755
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73760000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00029000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 756
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73785000"
},
{
"name": "ModuleName",
"value": "ntmarta.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 757
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 758
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 759
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73783000"
},
{
"name": "ModuleName",
"value": "ntmarta.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 760
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f8"
}
],
"repeated": 0,
"id": 761
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 762
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreMessaging.dll"
}
],
"repeated": 0,
"id": 763
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WinTypes.dll"
}
],
"repeated": 0,
"id": 764
},
{
"timestamp": "2026-03-08 06:36:06,178",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WinTypes.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 765
},
{
"timestamp": "2026-03-08 06:36:06,225",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\WinTypes.dll"
}
],
"repeated": 0,
"id": 766
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002f8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73680000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x000db000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 767
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73742000"
},
{
"name": "ModuleName",
"value": "wintypes.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 768
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 769
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 770
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73740000"
},
{
"name": "ModuleName",
"value": "wintypes.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 771
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f8"
}
],
"repeated": 0,
"id": 772
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 773
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WinTypes.dll"
}
],
"repeated": 1,
"id": 774
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5c000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 775
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x737f6000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 776
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73783000"
},
{
"name": "ModuleName",
"value": "ntmarta.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 777
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73740000"
},
{
"name": "ModuleName",
"value": "wintypes.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 778
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x7399d000"
},
{
"name": "ModuleName",
"value": "CoreUIComponents.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 779
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "35"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00E\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x00i\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00he"
}
],
"repeated": 0,
"id": 780
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 781
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 782
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 783
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\SYSTEM32\\ntmarta.dll"
}
],
"repeated": 0,
"id": 784
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\ntmarta.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 785
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 786
},
{
"timestamp": "2026-03-08 06:36:06,241",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\ntmarta"
},
{
"name": "DllBase",
"value": "0x73760000"
}
],
"repeated": 0,
"id": 787
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 788
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 789
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 790
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\System32\\CoreMessaging.dll"
}
],
"repeated": 0,
"id": 791
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreMessaging.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 792
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 793
},
{
"timestamp": "2026-03-08 06:36:06,257",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreMessaging"
},
{
"name": "DllBase",
"value": "0x73790000"
}
],
"repeated": 0,
"id": 794
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 795
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 796
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 797
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\SYSTEM32\\wintypes.dll"
}
],
"repeated": 0,
"id": 798
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\WinTypes.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 799
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 800
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\wintypes"
},
{
"name": "DllBase",
"value": "0x73680000"
}
],
"repeated": 0,
"id": 801
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 802
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 803
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 804
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\System32\\CoreUIComponents.dll"
}
],
"repeated": 0,
"id": 805
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\CoreUIComponents.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 806
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 807
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreUIComponents"
},
{
"name": "DllBase",
"value": "0x73830000"
}
],
"repeated": 0,
"id": 808
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 809
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 810
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 811
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\SYSTEM32\\textinputframework.dll"
}
],
"repeated": 0,
"id": 812
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002ec"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\textinputframework.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 813
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 814
},
{
"timestamp": "2026-03-08 06:36:06,272",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\textinputframework"
},
{
"name": "DllBase",
"value": "0x73ab0000"
}
],
"repeated": 0,
"id": 815
},
{
"timestamp": "2026-03-08 06:36:06,288",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\ntmarta"
},
{
"name": "BaseAddress",
"value": "0x73760000"
},
{
"name": "InitRoutine",
"value": "0x73767e90"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 816
},
{
"timestamp": "2026-03-08 06:36:06,350",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\CoreMessaging"
},
{
"name": "BaseAddress",
"value": "0x73790000"
},
{
"name": "InitRoutine",
"value": "0x737f0f00"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 817
},
{
"timestamp": "2026-03-08 06:36:06,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\WinTypes"
},
{
"name": "BaseAddress",
"value": "0x73680000"
},
{
"name": "InitRoutine",
"value": "0x736f8560"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 818
},
{
"timestamp": "2026-03-08 06:36:06,366",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x023f3000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 819
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x023f4000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 820
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x023f6000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 821
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000031c"
},
{
"name": "DesiredAccess",
"value": "0x00000009",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
}
],
"repeated": 0,
"id": 822
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000031c"
},
{
"name": "ValueName",
"value": "ResourcePolicies"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
}
],
"repeated": 0,
"id": 823
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000031c"
}
],
"repeated": 0,
"id": 824
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 825
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02530000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 826
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\CoreUIComponents"
},
{
"name": "BaseAddress",
"value": "0x73830000"
},
{
"name": "InitRoutine",
"value": "0x7388e960"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 827
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\TextInputFramework"
},
{
"name": "BaseAddress",
"value": "0x73ab0000"
},
{
"name": "InitRoutine",
"value": "0x73af06a0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 828
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 829
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 830
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 831
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName"
}
],
"repeated": 0,
"id": 832
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x760ed000"
},
{
"name": "ModuleName",
"value": "OLEAUT32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 833
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x760ed000"
},
{
"name": "ModuleName",
"value": "OLEAUT32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 834
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenEvent",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "EventName",
"value": "Local\\1ImmersiveFocusTrackingActiveEvent"
}
],
"repeated": 0,
"id": 835
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e00000"
},
{
"name": "RegionSize",
"value": "0x00080000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 836
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04e00000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 837
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 838
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 839
},
{
"timestamp": "2026-03-08 06:36:06,397",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 840
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 841
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000328"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\CTF\\"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\"
}
],
"repeated": 0,
"id": 842
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000328"
},
{
"name": "ValueName",
"value": "EnableAnchorContext"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext"
}
],
"repeated": 0,
"id": 843
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000328"
}
],
"repeated": 0,
"id": 844
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 845
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "USER32"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
}
],
"repeated": 0,
"id": 846
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\SystemResources\\USER32.dll.mun"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 1,
"id": 847
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\msctf.dll"
},
{
"name": "BaseAddress",
"value": "0x76ba0000"
}
],
"repeated": 0,
"id": 848
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 849
},
{
"timestamp": "2026-03-08 06:36:06,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 1,
"id": 850
},
{
"timestamp": "2026-03-08 06:36:06,507",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x0000000d"
},
{
"name": "ObjectAttributes",
"value": "TextShaping.dll"
}
],
"repeated": 0,
"id": 851
},
{
"timestamp": "2026-03-08 06:36:06,507",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\cape\\AppData\\Local\\Temp\\TextShaping.dll"
}
],
"repeated": 0,
"id": 852
},
{
"timestamp": "2026-03-08 06:36:06,522",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "C:\\Windows\\System32\\TextShaping.dll"
}
],
"repeated": 0,
"id": 853
},
{
"timestamp": "2026-03-08 06:36:06,522",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "DesiredAccess",
"value": "0x00100021",
"pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\TextShaping.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 854
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000328"
},
{
"name": "DesiredAccess",
"value": "0x0000000d",
"pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\TextShaping.dll"
}
],
"repeated": 0,
"id": 855
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000328"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x735e0000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00094000"
},
{
"name": "Win32Protect",
"value": "0x00000080",
"pretty_value": "PAGE_EXECUTE_WRITECOPY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 856
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 857
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77f69000"
},
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00003000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 858
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73671000"
},
{
"name": "ModuleName",
"value": "TextShaping.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 859
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000328"
}
],
"repeated": 0,
"id": 860
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000032c"
}
],
"repeated": 0,
"id": 861
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73671000"
},
{
"name": "ModuleName",
"value": "TextShaping.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 862
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "DDRAW.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 863
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D8.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 864
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "D3D9.DLL"
},
{
"name": "ModuleHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 865
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlDosPathNameToNtPathName_U",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "DosFileName",
"value": "C:\\Windows\\SYSTEM32\\TextShaping.dll"
}
],
"repeated": 0,
"id": 866
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "DesiredAccess",
"value": "0x00020000",
"pretty_value": "READ_CONTROL"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\TextShaping.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 867
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000032c"
}
],
"repeated": 0,
"id": 868
},
{
"timestamp": "2026-03-08 06:36:06,553",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\TextShaping"
},
{
"name": "DllBase",
"value": "0x735e0000"
}
],
"repeated": 0,
"id": 869
},
{
"timestamp": "2026-03-08 06:36:06,663",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\TextShaping"
},
{
"name": "BaseAddress",
"value": "0x735e0000"
},
{
"name": "InitRoutine",
"value": "0x7366f2b0"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 870
},
{
"timestamp": "2026-03-08 06:36:06,663",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x768e4000"
},
{
"name": "ModuleName",
"value": "gdi32full.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 871
},
{
"timestamp": "2026-03-08 06:36:06,663",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x768e4000"
},
{
"name": "ModuleName",
"value": "gdi32full.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 872
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 873
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76a9f000"
},
{
"name": "ModuleName",
"value": "GDI32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 874
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00787000"
},
{
"name": "RegionSize",
"value": "0x00002000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 875
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 876
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "DesiredAccess",
"value": "0x00000109",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"
}
],
"repeated": 0,
"id": 877
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "KeyInformation",
"value": "o\\xff9b\\x11,\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00\\x00\\x006\\x00\\x00\\x00\\xff84\\x03\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
},
{
"name": "KeyInformationClass",
"value": "4"
}
],
"repeated": 0,
"id": 878
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00789000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 879
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "0"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 880
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "0"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 881
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "1"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 882
},
{
"timestamp": "2026-03-08 06:36:06,710",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "1"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 883
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "2"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 884
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "2"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 885
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "3"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 886
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "3"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 887
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "4"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 888
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "4"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 889
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "5"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 890
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "5"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 891
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "6"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 892
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "6"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 893
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "7"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 894
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "7"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 895
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "8"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 896
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "8"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 897
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "9"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 898
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "9"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 899
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "10"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 900
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "10"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 901
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "11"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 902
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "11"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 903
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "12"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 904
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "12"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 905
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "13"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 906
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "13"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 907
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "14"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 908
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "14"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 909
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "15"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 910
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "15"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 911
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "16"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 912
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "16"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 913
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "17"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 914
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "17"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 915
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "18"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 916
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "18"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 917
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "19"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 918
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "19"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 919
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "20"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 920
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "20"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 921
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "21"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 922
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "21"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 923
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "22"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 924
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "22"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 925
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "23"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 926
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "23"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 927
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "24"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 928
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "24"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 929
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "25"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 930
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "25"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 931
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "26"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 932
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "26"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 933
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "27"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 934
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "27"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 935
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "28"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 936
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "28"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 937
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "29"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 938
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "29"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 939
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "30"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 940
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "30"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 941
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "31"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 942
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "31"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 943
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "32"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 944
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "32"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 945
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "33"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 946
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "33"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 947
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "34"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 948
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "34"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 949
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "35"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 950
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "35"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 951
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "36"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 952
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "36"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 953
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "37"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 954
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "37"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 955
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "38"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 956
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "38"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 957
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "39"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 958
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "39"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 959
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "40"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 960
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "40"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 961
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "41"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 962
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "41"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 963
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "42"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 964
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "42"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 965
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "43"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 966
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "43"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 967
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "44"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 968
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "44"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 969
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "45"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 970
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "45"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 971
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "46"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 972
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "46"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 973
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "47"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 974
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "47"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 975
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "48"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 976
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "48"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 977
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "49"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 978
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "49"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 979
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "50"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 980
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "50"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 981
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "51"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 982
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "51"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 983
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "52"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 984
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "52"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 985
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "53"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 986
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "53"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 987
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "54"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 988
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "54"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 989
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "55"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 990
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "55"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 991
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "56"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 992
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "56"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 993
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "57"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 994
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "57"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 995
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "58"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 996
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "58"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 997
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "59"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 998
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "59"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 999
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "60"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1000
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "60"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1001
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "61"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1002
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "61"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1003
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "62"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1004
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "62"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1005
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "63"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1006
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "63"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1007
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "64"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1008
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "64"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1009
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "65"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1010
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "65"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1011
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff80000005",
"pretty_return": "BUFFER_OVERFLOW",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "66"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1012
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "66"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1013
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateValueKey",
"status": false,
"return": "0xffffffff8000001a",
"pretty_return": "NO_MORE_ENTRIES",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "Index",
"value": "67"
},
{
"name": "KeyValueInformationClass",
"value": "1"
}
],
"repeated": 0,
"id": 1014
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000032c"
}
],
"repeated": 0,
"id": 1015
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0078c000"
},
{
"name": "RegionSize",
"value": "0x00006000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1016
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 1017
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1018
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "DesiredAccess",
"value": "0x00000101",
"pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"
}
],
"repeated": 0,
"id": 1019
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "ValueName",
"value": "Disable"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable"
}
],
"repeated": 0,
"id": 1020
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000032c"
},
{
"name": "ValueName",
"value": "DataFilePath"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "C:\\Windows\\Fonts\\staticcache.dat"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath"
}
],
"repeated": 0,
"id": 1021
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000032c"
}
],
"repeated": 0,
"id": 1022
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtCreateFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "DesiredAccess",
"value": "0x80100080",
"pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\Fonts\\staticcache.dat"
},
{
"name": "CreateDisposition",
"value": "1",
"pretty_value": "FILE_OPEN"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
},
{
"name": "FileAttributes",
"value": "0x00000000"
},
{
"name": "ExistedBefore",
"value": "yes"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1023
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtQueryInformationFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "HandleName",
"value": "C:\\Windows\\Fonts\\StaticCache.dat"
},
{
"name": "FileInformationClass",
"value": "5",
"pretty_value": "FileStandardInformation"
},
{
"name": "FileInformation",
"value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 1024
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "filesystem",
"api": "NtReadFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "HandleName",
"value": "C:\\Windows\\Fonts\\StaticCache.dat"
},
{
"name": "Buffer",
"value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00"
},
{
"name": "Length",
"value": "60"
}
],
"repeated": 0,
"id": 1025
},
{
"timestamp": "2026-03-08 06:36:06,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000328"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x0000032c"
},
{
"name": "FileName",
"value": "C:\\Windows\\Fonts\\StaticCache.dat"
}
],
"repeated": 0,
"id": 1026
},
{
"timestamp": "2026-03-08 06:36:06,741",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000328"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05380000"
},
{
"name": "SectionOffset",
"value": "0x0028d5f0"
},
{
"name": "ViewSize",
"value": "0x01260000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1027
},
{
"timestamp": "2026-03-08 06:36:06,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00792000"
},
{
"name": "RegionSize",
"value": "0x00015000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1028
},
{
"timestamp": "2026-03-08 06:36:06,803",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0078b000"
},
{
"name": "RegionSize",
"value": "0x0001b000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1029
},
{
"timestamp": "2026-03-08 06:36:06,803",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00787000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1030
},
{
"timestamp": "2026-03-08 06:36:06,803",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0078b000"
},
{
"name": "RegionSize",
"value": "0x0001b000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1031
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1032
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "DesiredAccess",
"value": "0x00000101",
"pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
}
],
"repeated": 0,
"id": 1033
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane1"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1"
}
],
"repeated": 0,
"id": 1034
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane2"
},
{
"name": "Type",
"value": "1",
"pretty_value": "REG_SZ"
},
{
"name": "Information",
"value": "SimSun-ExtB"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2"
}
],
"repeated": 1,
"id": 1035
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane3"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3"
}
],
"repeated": 0,
"id": 1036
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane4"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4"
}
],
"repeated": 0,
"id": 1037
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane5"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5"
}
],
"repeated": 0,
"id": 1038
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane6"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6"
}
],
"repeated": 0,
"id": 1039
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane7"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7"
}
],
"repeated": 0,
"id": 1040
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane8"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8"
}
],
"repeated": 0,
"id": 1041
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane9"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9"
}
],
"repeated": 0,
"id": 1042
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane10"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10"
}
],
"repeated": 0,
"id": 1043
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane11"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11"
}
],
"repeated": 0,
"id": 1044
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane12"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12"
}
],
"repeated": 0,
"id": 1045
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane13"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13"
}
],
"repeated": 0,
"id": 1046
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane14"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14"
}
],
"repeated": 0,
"id": 1047
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane15"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15"
}
],
"repeated": 0,
"id": 1048
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "ValueName",
"value": "Plane16"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16"
}
],
"repeated": 0,
"id": 1049
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000334"
}
],
"repeated": 0,
"id": 1050
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1051
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "DesiredAccess",
"value": "0x00000109",
"pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
}
],
"repeated": 0,
"id": 1052
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "KeyInformation",
"value": "\\xffa8\\x01\\xffd1y\\x0b\\xffad\\xffd5\\x01\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x18\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
},
{
"name": "KeyInformationClass",
"value": "4"
}
],
"repeated": 0,
"id": 1053
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "Index",
"value": "0"
}
],
"repeated": 0,
"id": 1054
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "Index",
"value": "1"
}
],
"repeated": 0,
"id": 1055
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "Index",
"value": "2"
}
],
"repeated": 0,
"id": 1056
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000334"
},
{
"name": "Index",
"value": "3"
}
],
"repeated": 0,
"id": 1057
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00000101",
"pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000334"
},
{
"name": "ObjectAttributesName",
"value": "MS Shell Dlg"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Shell Dlg"
}
],
"repeated": 0,
"id": 1058
},
{
"timestamp": "2026-03-08 06:36:06,819",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000334"
}
],
"repeated": 0,
"id": 1059
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000068"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1060
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x0000006c"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1061
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetSystemMetrics",
"status": false,
"return": "0x00000000",
"arguments": [
{
"name": "SystemMetricIndex",
"value": "4096"
}
],
"repeated": 0,
"id": 1062
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00000026"
},
{
"name": "uiParam",
"value": "0x00000004"
}
],
"repeated": 0,
"id": 1063
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x0000103e"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1064
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x00001042"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1065
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x0000001b"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1066
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d20000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1067
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73d20000"
},
{
"name": "ModuleName",
"value": "comctl32.DLL"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1068
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00787000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1069
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1070
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlRegisterFeatureConfigurationChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e724f0"
}
],
"repeated": 0,
"id": 1071
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "NtQueryWnfStateData"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eb40c0"
}
],
"repeated": 0,
"id": 1072
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlSubscribeWnfStateChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e70780"
}
],
"repeated": 0,
"id": 1073
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDisownModuleHeapAllocation"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eac2a0"
}
],
"repeated": 0,
"id": 1074
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ea52e0"
}
],
"repeated": 0,
"id": 1075
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1076
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x40000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:168:WilStaging_02"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 1077
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 1078
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1079
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000334"
},
{
"name": "Milliseconds",
"value": "0"
}
],
"repeated": 0,
"id": 1080
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000334"
}
],
"repeated": 0,
"id": 1081
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
}
],
"repeated": 1,
"id": 1082
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:64:WilError_03"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 1083
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 1084
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000330"
}
],
"repeated": 0,
"id": 1085
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtOpenSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000338"
},
{
"name": "DesiredAccess",
"value": "0x00000006"
},
{
"name": "ObjectAttributes",
"value": "windows_shell_global_counters"
}
],
"repeated": 0,
"id": 1086
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x00000338"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02580000"
},
{
"name": "SectionOffset",
"value": "0x0028ca24"
},
{
"name": "ViewSize",
"value": "0x00001000"
},
{
"name": "Win32Protect",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1087
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1088
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
}
],
"repeated": 0,
"id": 1089
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "ValueName",
"value": "TurnOffSPIAnimations"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations"
}
],
"repeated": 0,
"id": 1090
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000033c"
}
],
"repeated": 0,
"id": 1091
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1092
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000294"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
}
],
"repeated": 0,
"id": 1093
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "ValueName",
"value": "TurnOffSPIAnimations"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations"
}
],
"repeated": 0,
"id": 1094
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000033c"
}
],
"repeated": 0,
"id": 1095
},
{
"timestamp": "2026-03-08 06:36:06,913",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x04ee6000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1096
},
{
"timestamp": "2026-03-08 06:36:06,928",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 2,
"id": 1097
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 2,
"id": 1098
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x0000104e"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1099
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "1"
},
{
"name": "TokenInformation",
"value": "\\xec\\xe9(\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x004\\x00\\x00\\xc0\\x00\\x00^\\x024\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x08>\\x00d\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x80\\xf5\\x9d\\x02\\x10\\x00\\x00\\x00\\x9c\\x17Lw"
}
],
"repeated": 0,
"id": 1100
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER"
}
],
"repeated": 0,
"id": 1101
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000340"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x0000033c"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\CTF\\DirectSwitchHotkeys"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys"
}
],
"repeated": 0,
"id": 1102
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000033c"
}
],
"repeated": 0,
"id": 1103
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtEnumerateKey",
"status": false,
"return": "0xffffffff8000001a",
"pretty_return": "NO_MORE_ENTRIES",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000340"
},
{
"name": "Index",
"value": "0"
}
],
"repeated": 0,
"id": 1104
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000340"
}
],
"repeated": 0,
"id": 1105
},
{
"timestamp": "2026-03-08 06:36:08,569",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 1,
"id": 1106
},
{
"timestamp": "2026-03-08 06:36:09,585",
"thread_id": "6036",
"caller": "0x003016a0",
"parentcaller": "0x003023f0",
"category": "windows",
"api": "PostMessageW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "WindowHandle",
"value": "0x000202ba"
},
{
"name": "Message",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1107
},
{
"timestamp": "2026-03-08 06:36:09,585",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetUserDefaultLCID",
"status": true,
"return": "0x00000419",
"arguments": [
{
"name": "SystemDefaultLangID",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 1108
},
{
"timestamp": "2026-03-08 06:36:09,585",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 2,
"id": 1109
},
{
"timestamp": "2026-03-08 06:36:09,585",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "SystemParametersInfoW",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "Action",
"value": "0x0000104e"
},
{
"name": "uiParam",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1110
},
{
"timestamp": "2026-03-08 06:36:09,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetSystemInfo",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1111
},
{
"timestamp": "2026-03-08 06:36:09,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x065e0000"
},
{
"name": "RegionSize",
"value": "0x00800000"
},
{
"name": "Protection",
"value": "0x00000001",
"pretty_value": "PAGE_NOACCESS"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1112
},
{
"timestamp": "2026-03-08 06:36:09,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetSystemInfo",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1113
},
{
"timestamp": "2026-03-08 06:36:09,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "NtQuerySystemInformation",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SystemInformationClass",
"value": "58"
}
],
"repeated": 0,
"id": 1114
},
{
"timestamp": "2026-03-08 06:36:09,772",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtDuplicateObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SourceProcessHandle",
"value": "0xffffffff"
},
{
"name": "SourceHandle",
"value": "0xfffffffe"
},
{
"name": "TargetProcessHandle",
"value": "0xffffffff"
},
{
"name": "TargetHandle",
"value": "0x00000348"
},
{
"name": "Options",
"value": "0x00000002"
}
],
"repeated": 0,
"id": 1115
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x023f8000"
},
{
"name": "RegionSize",
"value": "0x00007000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1116
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1117
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtDuplicateObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SourceProcessHandle",
"value": "0xffffffff"
},
{
"name": "SourceHandle",
"value": "0xfffffffe"
},
{
"name": "TargetProcessHandle",
"value": "0xffffffff"
},
{
"name": "TargetHandle",
"value": "0x00000374"
},
{
"name": "Options",
"value": "0x00000002"
}
],
"repeated": 0,
"id": 1118
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
}
],
"repeated": 0,
"id": 1119
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1120
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "IsGUIThread"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d502b0"
}
],
"repeated": 0,
"id": 1121
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1122
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1123
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlRegisterFeatureConfigurationChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e724f0"
}
],
"repeated": 0,
"id": 1124
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "NtQueryWnfStateData"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eb40c0"
}
],
"repeated": 0,
"id": 1125
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlSubscribeWnfStateChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e70780"
}
],
"repeated": 0,
"id": 1126
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDisownModuleHeapAllocation"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eac2a0"
}
],
"repeated": 0,
"id": 1127
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ea52e0"
}
],
"repeated": 0,
"id": 1128
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1129
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x40000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000037c"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:168:WilStaging_02"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 1130
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000037c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 1131
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1132
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
},
{
"name": "Milliseconds",
"value": "0"
}
],
"repeated": 0,
"id": 1133
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
}
],
"repeated": 0,
"id": 1134
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000037c"
}
],
"repeated": 1,
"id": 1135
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1136
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "RegisterClassExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d3dfe0"
}
],
"repeated": 0,
"id": 1137
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1138
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1139
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "CreateWindowExW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d3f220"
}
],
"repeated": 0,
"id": 1140
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1141
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1142
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "DefWindowProcW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ec7fa0"
}
],
"repeated": 0,
"id": 1143
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1144
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1145
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "SetWindowLongW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d45420"
}
],
"repeated": 0,
"id": 1146
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1147
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1148
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "SetTimer"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d4e970"
}
],
"repeated": 0,
"id": 1149
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1150
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1151
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": ""
},
{
"name": "Ordinal",
"value": "2612"
},
{
"name": "FunctionAddress",
"value": "0x75d50620"
}
],
"repeated": 0,
"id": 1152
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1153
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1154
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "GetWindowLongW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d48510"
}
],
"repeated": 0,
"id": 1155
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1156
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1157
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "GetWindowThreadProcessId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d4a660"
}
],
"repeated": 0,
"id": 1158
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1159
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1160
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": "SendMessageCallbackW"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75d4fdb0"
}
],
"repeated": 0,
"id": 1161
},
{
"timestamp": "2026-03-08 06:36:10,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1162
},
{
"timestamp": "2026-03-08 06:36:10,225",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtDuplicateObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SourceProcessHandle",
"value": "0xffffffff"
},
{
"name": "SourceHandle",
"value": "0xfffffffe"
},
{
"name": "TargetProcessHandle",
"value": "0xffffffff"
},
{
"name": "TargetHandle",
"value": "0x00000380"
},
{
"name": "Options",
"value": "0x00000002"
}
],
"repeated": 0,
"id": 1163
},
{
"timestamp": "2026-03-08 06:36:10,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1164
},
{
"timestamp": "2026-03-08 06:36:10,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "ModuleHandle",
"value": "0x77b50000"
},
{
"name": "FunctionName",
"value": "CoCreateGuid"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77bf6f40"
}
],
"repeated": 0,
"id": 1165
},
{
"timestamp": "2026-03-08 06:36:10,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1166
},
{
"timestamp": "2026-03-08 06:36:10,725",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "29"
},
{
"name": "TokenInformation",
"value": "\\x00\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 1167
},
{
"timestamp": "2026-03-08 06:36:10,866",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x065e0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1168
},
{
"timestamp": "2026-03-08 06:36:10,866",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1169
},
{
"timestamp": "2026-03-08 06:36:10,866",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "USER32.dll"
},
{
"name": "ModuleHandle",
"value": "0x75d10000"
},
{
"name": "FunctionName",
"value": ""
},
{
"name": "Ordinal",
"value": "2582"
},
{
"name": "FunctionAddress",
"value": "0x75d500a0"
}
],
"repeated": 0,
"id": 1170
},
{
"timestamp": "2026-03-08 06:36:10,866",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73814000"
},
{
"name": "ModuleName",
"value": "CoreMessaging.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1171
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1172
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "srand",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "seed",
"value": "0x69ad18db"
}
],
"repeated": 0,
"id": 1173
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1174
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1175
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlRegisterFeatureConfigurationChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e724f0"
}
],
"repeated": 0,
"id": 1176
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "NtQueryWnfStateData"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eb40c0"
}
],
"repeated": 0,
"id": 1177
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlSubscribeWnfStateChangeNotification"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e70780"
}
],
"repeated": 0,
"id": 1178
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00361000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1179
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDisownModuleHeapAllocation"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77eac2a0"
}
],
"repeated": 0,
"id": 1180
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlQueryFeatureConfiguration"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77ea52e0"
}
],
"repeated": 0,
"id": 1181
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1182
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtCreateMutant",
"status": true,
"return": "0x40000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000038c"
},
{
"name": "MutexName",
"value": "Local\\SM0:6132:168:WilStaging_02"
},
{
"name": "InitialOwner",
"value": "0"
}
],
"repeated": 0,
"id": 1183
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000038c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 0,
"id": 1184
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "GetSystemTimeAsFileTime",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1185
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000390"
},
{
"name": "Milliseconds",
"value": "0"
}
],
"repeated": 0,
"id": 1186
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000390"
}
],
"repeated": 0,
"id": 1187
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtReleaseMutant",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000038c"
}
],
"repeated": 1,
"id": 1188
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1189
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
}
],
"repeated": 0,
"id": 1190
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "ValueName",
"value": "IsVailContainer"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer"
}
],
"repeated": 0,
"id": 1191
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000390"
}
],
"repeated": 0,
"id": 1192
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1193
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Microsoft\\Input"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input"
}
],
"repeated": 0,
"id": 1194
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "ValueName",
"value": "ResyncResetTime"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime"
}
],
"repeated": 0,
"id": 1195
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "ValueName",
"value": "MaxResyncAttempts"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts"
}
],
"repeated": 0,
"id": 1196
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000390"
}
],
"repeated": 0,
"id": 1197
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1198
},
{
"timestamp": "2026-03-08 06:36:11,069",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1199
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1200
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1201
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1202
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1203
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1204
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x73b5e000"
},
{
"name": "ModuleName",
"value": "textinputframework.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1205
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1206
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76c68000"
},
{
"name": "ModuleName",
"value": "MSCTF.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1207
},
{
"timestamp": "2026-03-08 06:36:11,085",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "iertutil.dll"
},
{
"name": "ModuleHandle",
"value": "0x73b08c66"
}
],
"repeated": 0,
"id": 1208
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenEvent",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "EventName",
"value": "Local\\1ImmersiveFocusTrackingActiveEvent"
}
],
"repeated": 0,
"id": 1209
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 1210
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "synchronization",
"api": "NtOpenEvent",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "Handle",
"value": "0x00000000"
},
{
"name": "EventName",
"value": "Local\\1ImmersiveFocusTrackingActiveEvent"
}
],
"repeated": 0,
"id": 1211
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "GetKeyboardLayout",
"status": true,
"return": "0x04190419",
"arguments": [
{
"name": "KeyboardLayout",
"value": "0x00000419"
},
{
"name": "LanguageName",
"value": "Russian"
}
],
"repeated": 0,
"id": 1212
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1213
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtOpenKeyEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "DesiredAccess",
"value": "0x00000001",
"pretty_value": "KEY_QUERY_VALUE"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000130"
},
{
"name": "ObjectAttributesName",
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
}
],
"repeated": 0,
"id": 1214
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000390"
},
{
"name": "ValueName",
"value": "LaunchUserOOBE"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE"
}
],
"repeated": 0,
"id": 1215
},
{
"timestamp": "2026-03-08 06:36:11,194",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000390"
}
],
"repeated": 0,
"id": 1216
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000340"
}
],
"repeated": 0,
"id": 1217
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000384"
}
],
"repeated": 0,
"id": 1218
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000368"
}
],
"repeated": 0,
"id": 1219
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000370"
}
],
"repeated": 0,
"id": 1220
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000036c"
}
],
"repeated": 0,
"id": 1221
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
}
],
"repeated": 0,
"id": 1222
},
{
"timestamp": "2026-03-08 06:36:11,210",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000388"
}
],
"repeated": 0,
"id": 1223
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002e4"
}
],
"repeated": 0,
"id": 1224
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c0"
}
],
"repeated": 0,
"id": 1225
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1226
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1227
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "oleaut32.dll"
},
{
"name": "ModuleHandle",
"value": "0x76060000"
}
],
"repeated": 0,
"id": 1228
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1229
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x003023f0",
"parentcaller": "0x00301ea7",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77d97000"
},
{
"name": "ModuleName",
"value": "combase.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1230
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "1572",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xf2\r\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf2\r\\x05\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 1231
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "1572",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1232
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "1572",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1233
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "misc",
"api": "RtlSetCurrentTransaction",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "TransactionHandle",
"value": "0x00000000"
}
],
"repeated": 1,
"id": 1234
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtCreateKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000294"
},
{
"name": "ObjectAttributesName",
"value": "Software\\Sysinternals\\Strings"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software\\Sysinternals\\Strings"
},
{
"name": "Class",
"value": ""
},
{
"name": "Disposition",
"value": "2683260"
}
],
"repeated": 0,
"id": 1235
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "1572",
"caller": "0x7726269a",
"parentcaller": "0x737b126a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000388"
}
],
"repeated": 0,
"id": 1236
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtCreateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000380"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000294"
},
{
"name": "ObjectAttributesName",
"value": "Software"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\Software"
},
{
"name": "Class",
"value": ""
},
{
"name": "Disposition",
"value": "2",
"pretty_value": "REG_OPENED_EXISTING_KEY"
}
],
"repeated": 0,
"id": 1237
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtCreateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x0000033c"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000380"
},
{
"name": "ObjectAttributesName",
"value": "Sysinternals"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals"
},
{
"name": "Class",
"value": ""
},
{
"name": "Disposition",
"value": "1",
"pretty_value": "REG_CREATED_NEW_KEY"
}
],
"repeated": 0,
"id": 1238
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
}
],
"repeated": 0,
"id": 1239
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "NtCreateKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000380"
},
{
"name": "DesiredAccess",
"value": "0x02000000",
"pretty_value": "MAXIMUM_ALLOWED"
},
{
"name": "ObjectAttributesHandle",
"value": "0x0000033c"
},
{
"name": "ObjectAttributesName",
"value": "Strings"
},
{
"name": "ObjectAttributes",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings"
},
{
"name": "Class",
"value": ""
},
{
"name": "Disposition",
"value": "1",
"pretty_value": "REG_CREATED_NEW_KEY"
}
],
"repeated": 0,
"id": 1240
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302419",
"parentcaller": "0x00301ea7",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000033c"
}
],
"repeated": 0,
"id": 1241
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302438",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "RegSetValueExA",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
},
{
"name": "ValueName",
"value": "EulaAccepted"
},
{
"name": "Type",
"value": "4",
"pretty_value": "REG_DWORD"
},
{
"name": "Buffer",
"value": "1"
},
{
"name": "BufferLength",
"value": "4"
},
{
"name": "FullName",
"value": "HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings\\EulaAccepted"
}
],
"repeated": 0,
"id": 1242
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x00302440",
"parentcaller": "0x00301ea7",
"category": "registry",
"api": "RegCloseKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000380"
}
],
"repeated": 0,
"id": 1243
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "2028",
"caller": "0x77267322",
"parentcaller": "0x77267238",
"category": "device",
"api": "NtDeviceIoControlFile",
"status": false,
"return": "0xffffffffc00700bb",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000088"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "IoControlCode",
"value": "0x00500016"
},
{
"name": "InputBuffer",
"value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf2\\x1d\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf2\\x1d\\x05\\x00\\x00\\x00\\x00"
},
{
"name": "OutputBuffer",
"value": ""
}
],
"repeated": 0,
"id": 1244
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "2028",
"caller": "0x77ea64d6",
"parentcaller": "0x77ea63e1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 1245
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "2028",
"caller": "0x00000000",
"parentcaller": "0x00000000",
"category": "threading",
"api": "RtlUserThreadStart",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "StartAddress",
"value": "0x00000000"
},
{
"name": "Parameter",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 1246
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "usage: C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe [-a] [-f offset] [-b bytes] [-n length] [-o] [-s] [-u] \r\n"
},
{
"name": "Length",
"value": "128"
}
],
"repeated": 0,
"id": 1247
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-a Ascii-only search (Unicode and Ascii is default)\r\n"
},
{
"name": "Length",
"value": "57"
}
],
"repeated": 0,
"id": 1248
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-b Bytes of file to scan\r\n"
},
{
"name": "Length",
"value": "30"
}
],
"repeated": 0,
"id": 1249
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-f File offset at which to start scanning.\r\n"
},
{
"name": "Length",
"value": "48"
}
],
"repeated": 0,
"id": 1250
},
{
"timestamp": "2026-03-08 06:36:11,413",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-o Print offset in file string was located\r\n"
},
{
"name": "Length",
"value": "48"
}
],
"repeated": 0,
"id": 1251
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-n Minimum string length (default is 3)\r\n"
},
{
"name": "Length",
"value": "45"
}
],
"repeated": 0,
"id": 1252
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-s Recurse subdirectories\r\n"
},
{
"name": "Length",
"value": "31"
}
],
"repeated": 0,
"id": 1253
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-u Unicode-only search (Unicode and Ascii is default)\r\n"
},
{
"name": "Length",
"value": "59"
}
],
"repeated": 0,
"id": 1254
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "-nobanner\r\n"
},
{
"name": "Length",
"value": "11"
}
],
"repeated": 0,
"id": 1255
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": " Do not display the startup banner and copyright message.\r\n"
},
{
"name": "Length",
"value": "65"
}
],
"repeated": 0,
"id": 1256
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032d66c",
"parentcaller": "0x0032daee",
"category": "filesystem",
"api": "NtWriteFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x0000009c"
},
{
"name": "HandleName",
"value": "\\Device\\ConDrv"
},
{
"name": "Buffer",
"value": "\r\n"
},
{
"name": "Length",
"value": "2"
}
],
"repeated": 0,
"id": 1257
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "api-ms-win-appmodel-runtime-l1-1-2"
},
{
"name": "BaseAddress",
"value": "0x75250000"
}
],
"repeated": 0,
"id": 1258
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x0032926f",
"parentcaller": "0x00329334",
"category": "system",
"api": "LoadLibraryExW",
"status": true,
"return": "0x75250000",
"arguments": [
{
"name": "lpLibFileName",
"value": "api-ms-win-appmodel-runtime-l1-1-2"
},
{
"name": "dwFlags",
"value": "0x00000800"
}
],
"repeated": 0,
"id": 1259
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x00329344",
"parentcaller": "0x0032946e",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "kernel.appcore.dll"
},
{
"name": "ModuleHandle",
"value": "0x75250000"
},
{
"name": "FunctionName",
"value": "AppPolicyGetProcessTerminationMethod"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x75253a40"
}
],
"repeated": 0,
"id": 1260
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x00321e56",
"parentcaller": "0x00321dc2",
"category": "system",
"api": "LdrGetDllHandle",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "mscoree.dll"
},
{
"name": "ModuleHandle",
"value": "0xfffffffa"
}
],
"repeated": 0,
"id": 1261
},
{
"timestamp": "2026-03-08 06:36:11,428",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtTerminateProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0x00000000"
},
{
"name": "ExitCode",
"value": "0xffffffff"
}
],
"repeated": 0,
"id": 1262
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "kernel32.dll"
},
{
"name": "ModuleHandle",
"value": "0x76ab0000"
}
],
"repeated": 0,
"id": 1263
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "kernelbase.dll"
},
{
"name": "ModuleHandle",
"value": "0x77150000"
}
],
"repeated": 0,
"id": 1264
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1265
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1266
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000038c"
}
],
"repeated": 0,
"id": 1267
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000031c"
}
],
"repeated": 0,
"id": 1268
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000320"
}
],
"repeated": 0,
"id": 1269
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000324"
}
],
"repeated": 0,
"id": 1270
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000318"
}
],
"repeated": 0,
"id": 1271
},
{
"timestamp": "2026-03-08 06:36:11,444",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000314"
}
],
"repeated": 0,
"id": 1272
},
{
"timestamp": "2026-03-08 06:36:11,522",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1273
},
{
"timestamp": "2026-03-08 06:36:11,522",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1274
},
{
"timestamp": "2026-03-08 06:36:11,522",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000030c"
}
],
"repeated": 0,
"id": 1275
},
{
"timestamp": "2026-03-08 06:36:11,522",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000310"
}
],
"repeated": 0,
"id": 1276
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1277
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1278
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002ec"
}
],
"repeated": 0,
"id": 1279
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f0"
}
],
"repeated": 0,
"id": 1280
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f4"
}
],
"repeated": 0,
"id": 1281
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f8"
}
],
"repeated": 0,
"id": 1282
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002fc"
}
],
"repeated": 0,
"id": 1283
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000300"
}
],
"repeated": 0,
"id": 1284
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000304"
}
],
"repeated": 0,
"id": 1285
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000308"
}
],
"repeated": 0,
"id": 1286
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00794000"
},
{
"name": "RegionSize",
"value": "0x00012000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1287
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00783000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1288
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077f000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1289
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002b4"
}
],
"repeated": 0,
"id": 1290
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002bc"
}
],
"repeated": 0,
"id": 1291
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002d0"
}
],
"repeated": 0,
"id": 1292
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02540000"
},
{
"name": "RegionSize",
"value": "0x00002000"
}
],
"repeated": 0,
"id": 1293
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000023c"
}
],
"repeated": 0,
"id": 1294
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1295
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1296
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000240"
}
],
"repeated": 0,
"id": 1297
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002e8"
}
],
"repeated": 0,
"id": 1298
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000244"
}
],
"repeated": 0,
"id": 1299
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000248"
}
],
"repeated": 0,
"id": 1300
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 1301
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a0"
}
],
"repeated": 0,
"id": 1302
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000290"
}
],
"repeated": 0,
"id": 1303
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000028c"
}
],
"repeated": 0,
"id": 1304
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1305
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1306
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00783000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1307
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000288"
}
],
"repeated": 0,
"id": 1308
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtUnmapViewOfSectionEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x02580000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Flags",
"value": "0"
}
],
"repeated": 0,
"id": 1309
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000338"
}
],
"repeated": 0,
"id": 1310
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000274"
}
],
"repeated": 0,
"id": 1311
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000025c"
}
],
"repeated": 0,
"id": 1312
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000260"
}
],
"repeated": 0,
"id": 1313
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000264"
}
],
"repeated": 0,
"id": 1314
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000268"
}
],
"repeated": 0,
"id": 1315
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000026c"
}
],
"repeated": 0,
"id": 1316
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000270"
}
],
"repeated": 0,
"id": 1317
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000280"
}
],
"repeated": 0,
"id": 1318
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000027c"
}
],
"repeated": 0,
"id": 1319
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000278"
}
],
"repeated": 0,
"id": 1320
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000258"
}
],
"repeated": 0,
"id": 1321
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000250"
}
],
"repeated": 0,
"id": 1322
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000254"
}
],
"repeated": 0,
"id": 1323
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000200"
}
],
"repeated": 0,
"id": 1324
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000204"
}
],
"repeated": 0,
"id": 1325
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001fc"
}
],
"repeated": 0,
"id": 1326
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001ec"
}
],
"repeated": 0,
"id": 1327
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001d0"
}
],
"repeated": 0,
"id": 1328
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001d4"
}
],
"repeated": 0,
"id": 1329
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001cc"
}
],
"repeated": 0,
"id": 1330
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b4"
}
],
"repeated": 0,
"id": 1331
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b8"
}
],
"repeated": 0,
"id": 1332
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001bc"
}
],
"repeated": 0,
"id": 1333
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c0"
}
],
"repeated": 0,
"id": 1334
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c4"
}
],
"repeated": 0,
"id": 1335
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001c8"
}
],
"repeated": 0,
"id": 1336
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77122000"
},
{
"name": "ModuleName",
"value": "ole32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1337
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x77122000"
},
{
"name": "ModuleName",
"value": "ole32.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1338
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001ac"
}
],
"repeated": 0,
"id": 1339
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001b0"
}
],
"repeated": 0,
"id": 1340
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a8"
}
],
"repeated": 0,
"id": 1341
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002c0"
}
],
"repeated": 0,
"id": 1342
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1343
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1344
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077f000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1345
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000018c"
}
],
"repeated": 0,
"id": 1346
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000190"
}
],
"repeated": 0,
"id": 1347
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000194"
}
],
"repeated": 0,
"id": 1348
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000198"
}
],
"repeated": 0,
"id": 1349
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000019c"
}
],
"repeated": 0,
"id": 1350
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a4"
}
],
"repeated": 0,
"id": 1351
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000001a0"
}
],
"repeated": 0,
"id": 1352
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000016c"
}
],
"repeated": 0,
"id": 1353
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000170"
}
],
"repeated": 0,
"id": 1354
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000168"
}
],
"repeated": 0,
"id": 1355
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000164"
}
],
"repeated": 0,
"id": 1356
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000015c"
}
],
"repeated": 0,
"id": 1357
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000160"
}
],
"repeated": 0,
"id": 1358
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000158"
}
],
"repeated": 0,
"id": 1359
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000154"
}
],
"repeated": 0,
"id": 1360
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000150"
}
],
"repeated": 0,
"id": 1361
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1362
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000134"
}
],
"repeated": 0,
"id": 1363
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000138"
}
],
"repeated": 0,
"id": 1364
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000010c"
}
],
"repeated": 0,
"id": 1365
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000110"
}
],
"repeated": 0,
"id": 1366
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000114"
}
],
"repeated": 0,
"id": 1367
},
{
"timestamp": "2026-03-08 06:36:11,647",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000114"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
}
],
"repeated": 0,
"id": 1368
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000114"
},
{
"name": "ValueName",
"value": "DisableMetaFiles"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
}
],
"repeated": 0,
"id": 1369
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000114"
}
],
"repeated": 0,
"id": 1370
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000114"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
}
],
"repeated": 0,
"id": 1371
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000114"
},
{
"name": "ValueName",
"value": "DisableUmpdBufferSizeCheck"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
}
],
"repeated": 0,
"id": 1372
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000114"
}
],
"repeated": 0,
"id": 1373
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtUnmapViewOfSectionEx",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x05380000"
},
{
"name": "RegionSize",
"value": "0x01260000"
},
{
"name": "Flags",
"value": "0"
}
],
"repeated": 0,
"id": 1374
},
{
"timestamp": "2026-03-08 06:36:11,663",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000328"
}
],
"repeated": 0,
"id": 1375
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000032c"
}
],
"repeated": 0,
"id": 1376
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0077f000"
},
{
"name": "RegionSize",
"value": "0x00008000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1377
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtFreeVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00763000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "FreeType",
"value": "0x00004000"
}
],
"repeated": 0,
"id": 1378
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00763000"
},
{
"name": "RegionSize",
"value": "0x00003000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 1379
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1380
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1381
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000108"
}
],
"repeated": 0,
"id": 1382
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000104"
}
],
"repeated": 0,
"id": 1383
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000e0"
}
],
"repeated": 0,
"id": 1384
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetDllHandle",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
}
],
"repeated": 0,
"id": 1385
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "ntdll.dll"
},
{
"name": "ModuleHandle",
"value": "0x77e40000"
},
{
"name": "FunctionName",
"value": "RtlDllShutdownInProgress"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x77e9f5a0"
}
],
"repeated": 0,
"id": 1386
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000210"
}
],
"repeated": 0,
"id": 1387
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000f8"
}
],
"repeated": 0,
"id": 1388
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000bc"
}
],
"repeated": 0,
"id": 1389
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000b8"
}
],
"repeated": 0,
"id": 1390
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000a0"
}
],
"repeated": 0,
"id": 1391
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000b0"
}
],
"repeated": 0,
"id": 1392
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000b4"
}
],
"repeated": 0,
"id": 1393
},
{
"timestamp": "2026-03-08 06:36:11,944",
"thread_id": "6036",
"caller": "0x00321dcc",
"parentcaller": "0x00321d8a",
"category": "process",
"api": "NtTerminateProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "ExitCode",
"value": "0xffffffff"
}
],
"repeated": 0,
"id": 1394
}
],
"threads": [
"6036",
"6472",
"4396",
"6444",
"4356",
"1572",
"2028"
],
"environ": {
"UserName": "cape",
"ComputerName": "DESKTOP-PC01",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe\" ",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "7c6d-8d48",
"SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
"MachineGUID": "",
"MainExeBase": "0x00300000",
"MainExeSize": "0x0005c000",
"Bitness": "32-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
}
],
"anomaly": [],
"processtree": [
{
"name": "strings.exe",
"pid": 6132,
"parent_id": 7304,
"module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe",
"children": [],
"threads": [
"6036",
"6472",
"4396",
"6444",
"4356",
"1572",
"2028"
],
"environ": {
"UserName": "cape",
"ComputerName": "DESKTOP-PC01",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe\" ",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "7c6d-8d48",
"SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
"MachineGUID": "",
"MainExeBase": "0x00300000",
"MainExeSize": "0x0005c000",
"Bitness": "32-bit"
}
}
],
"summary": {
"files": [
"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\System32\\msctf.dll",
"C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\USER32.dll.mui",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\uxtheme.dll.Config",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe.Local\\",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32.dll",
"C:\\Windows\\WindowsShell.Manifest",
"C:\\Windows\\System32\\kernel.appcore.dll",
"C:\\Windows\\System32\\bcryptPrimitives.dll",
"\\Device\\CNG",
"C:\\Windows\\System32\\textinputframework.dll",
"C:\\Windows\\System32\\CoreUIComponents.dll",
"C:\\Windows\\System32\\CoreMessaging.dll",
"C:\\Windows\\System32\\ntmarta.dll",
"C:\\Windows\\System32\\WinTypes.dll",
"C:\\Windows\\SystemResources\\USER32.dll.mun",
"C:\\Users\\cape\\AppData\\Local\\Temp\\TextShaping.dll",
"C:\\Windows\\System32\\TextShaping.dll",
"C:\\Windows\\Fonts\\staticcache.dat"
],
"read_files": [],
"write_files": [],
"delete_files": [],
"keys": [
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\Software\\Sysinternals",
"HKEY_CURRENT_USER\\Software\\Sysinternals",
"HKEY_CURRENT_USER\\Software\\Sysinternals\\Strings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows nt\\currentversion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\strings.exe",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts",
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals",
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings",
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings\\EulaAccepted",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
],
"read_keys": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
],
"write_keys": [
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals",
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings",
"HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings\\EulaAccepted"
],
"delete_keys": [],
"executed_commands": [],
"resolved_apis": [],
"mutexes": [
"Local\\SM0:6132:168:WilStaging_02",
"Local\\MSCTF.Asm.MutexDefault1",
"CicLoadWinStaWinSta0",
"Local\\MSCTF.CtfMonitorInstMutexDefault1",
"Local\\SM0:6132:64:WilError_03"
],
"created_services": [],
"started_services": []
},
"enhanced": [
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,163",
"eid": 1,
"data": {
"file": "KERNELBASE.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,163",
"eid": 2,
"data": {
"file": "LPK.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,163",
"eid": 3,
"data": {
"file": "KERNEL32",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,163",
"eid": 4,
"data": {
"file": "imm32.dll",
"pathtofile": null,
"moduleaddress": "0x774e0000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 5,
"data": {
"file": "api-ms-win-core-synch-l1-2-0",
"pathtofile": null,
"moduleaddress": "0x77150000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 6,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 7,
"data": {
"file": "api-ms-win-core-fibers-l1-1-1",
"pathtofile": null,
"moduleaddress": "0x77150000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 8,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 9,
"data": {
"file": "api-ms-win-core-synch-l1-2-0",
"pathtofile": null,
"moduleaddress": "0x77150000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 10,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 11,
"data": {
"file": "api-ms-win-core-fibers-l1-1-1",
"pathtofile": null,
"moduleaddress": "0x77150000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 12,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 13,
"data": {
"file": "api-ms-win-core-localization-l1-2-1",
"pathtofile": null,
"moduleaddress": "0x77150000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 14,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 15,
"data": {
"file": "kernel32",
"pathtofile": null,
"moduleaddress": "0x76ab0000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 16,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 17,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
"content": "kernel32.dll"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,178",
"eid": 18,
"data": {
"file": "kernel32.dll",
"pathtofile": null,
"moduleaddress": "0x76ab0000"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:05,194",
"eid": 19,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,194",
"eid": 20,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"content": "Windows 10 Enterprise"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,350",
"eid": 21,
"data": {
"file": "Riched32.dll",
"pathtofile": null,
"moduleaddress": "0x73e60000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,397",
"eid": 22,
"data": {
"file": "C:\\Windows\\System32\\uxtheme.dll",
"pathtofile": null,
"moduleaddress": "0x745d0000"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,413",
"eid": 23,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
"content": "1"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,413",
"eid": 24,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,413",
"eid": 25,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,413",
"eid": 26,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,538",
"eid": 27,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,538",
"eid": 28,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
"content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 29,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 30,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 31,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 32,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 33,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"content": null
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-08 06:36:05,632",
"eid": 34,
"data": {
"file": "C:\\Windows\\win.ini"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,694",
"eid": 35,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,694",
"eid": 36,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,819",
"eid": 37,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,819",
"eid": 38,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,819",
"eid": 39,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,882",
"eid": 40,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,913",
"eid": 41,
"data": {
"file": "LPK",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:05,913",
"eid": 42,
"data": {
"file": "GDI32",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 43,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 44,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"content": "Arial"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 45,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 46,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"content": "Arial Bold"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 47,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 48,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"content": "Arial Bold,178"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 49,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 50,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"content": "Arial,178"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,975",
"eid": 51,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 52,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"content": "Arial,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 53,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 54,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"content": "Arial,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 55,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 56,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"content": "Arial,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 57,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 58,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"content": "Arial,161"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 59,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 60,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"content": "Arial,162"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 61,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 62,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"content": "Courier New,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 63,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 64,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"content": "Courier New,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 65,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 66,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"content": "Courier New,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 67,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 68,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"content": "Courier New,161"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 69,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 70,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"content": "Courier New,162"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 71,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 72,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"content": "MS Sans Serif"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 73,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 74,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"content": "Arial"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 75,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 76,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"content": "Tahoma"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 77,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 78,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"content": "Tahoma"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 79,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 80,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"content": "Times New Roman"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 81,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 82,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"content": "Times New Roman,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 83,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 84,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"content": "Times New Roman,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 85,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 86,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent",
"content": "Arial"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 87,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 88,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold",
"content": "Arial Bold"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 89,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 90,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent Bold,0",
"content": "Arial Bold,178"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 91,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 92,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arabic Transparent,0",
"content": "Arial,178"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 93,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 94,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Baltic,186",
"content": "Arial,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 95,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 96,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CE,238",
"content": "Arial,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 97,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 98,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial CYR,204",
"content": "Arial,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 99,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 100,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Greek,161",
"content": "Arial,161"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 101,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 102,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial TUR,162",
"content": "Arial,162"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 103,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 104,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Baltic,186",
"content": "Courier New,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 105,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 106,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CE,238",
"content": "Courier New,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 107,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 108,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New CYR,204",
"content": "Courier New,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 109,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 110,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Greek,161",
"content": "Courier New,161"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 111,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 112,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New TUR,162",
"content": "Courier New,162"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 113,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 114,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv",
"content": "MS Sans Serif"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 115,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 116,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helvetica",
"content": "Arial"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 117,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 118,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"content": "Tahoma"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 119,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 120,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tahoma Armenian",
"content": "Tahoma"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 121,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 122,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times",
"content": "Times New Roman"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 123,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 124,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Baltic,186",
"content": "Times New Roman,186"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 125,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:05,991",
"eid": 126,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CE,238",
"content": "Times New Roman,238"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 127,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 128,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman CYR,204",
"content": "Times New Roman,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 129,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 130,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Greek,161",
"content": "Times New Roman,161"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 131,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 132,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman TUR,162",
"content": "Times New Roman,162"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 133,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 134,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn",
"content": "MS Serif"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 135,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 136,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"content": "Microsoft Sans Serif"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 137,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 138,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\System,0",
"content": "System,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 139,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 140,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Fixedsys,0",
"content": "Fixedsys,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 141,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 142,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Small Fonts,0",
"content": "Small Fonts,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 143,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 144,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Serif,0",
"content": "MS Serif,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 145,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 146,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Sans Serif,0",
"content": "MS Sans Serif,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 147,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 148,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier,0",
"content": "Courier New,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 149,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 150,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Arial Cyr,0",
"content": "Arial,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 151,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 152,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Courier New Cyr,0",
"content": "Courier New,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 153,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 154,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Times New Roman Cyr,0",
"content": "Times New Roman,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 155,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 156,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Helv,0",
"content": "MS Sans Serif,204"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 157,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,007",
"eid": 158,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Tms Rmn,0",
"content": "MS Serif,204"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,053",
"eid": 159,
"data": {
"file": "C:\\Windows\\system32\\rpcss.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,053",
"eid": 160,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,053",
"eid": 161,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,053",
"eid": 162,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 163,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 164,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 165,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 166,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 167,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"content": "0"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 168,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,069",
"eid": 169,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,085",
"eid": 170,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,085",
"eid": 171,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,241",
"eid": 172,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,241",
"eid": 173,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,241",
"eid": 174,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,257",
"eid": 175,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,257",
"eid": 176,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,257",
"eid": 177,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 178,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 179,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 180,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 181,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 182,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 183,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 184,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 185,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,272",
"eid": 186,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,397",
"eid": 187,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,413",
"eid": 188,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,413",
"eid": 189,
"data": {
"file": "USER32",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,413",
"eid": 190,
"data": {
"file": "C:\\Windows\\System32\\msctf.dll",
"pathtofile": null,
"moduleaddress": "0x76ba0000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,553",
"eid": 191,
"data": {
"file": "DDRAW.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,553",
"eid": 192,
"data": {
"file": "D3D8.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,553",
"eid": 193,
"data": {
"file": "D3D9.DLL",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,725",
"eid": 194,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,725",
"eid": 195,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"content": "C:\\Windows\\Fonts\\staticcache.dat"
}
},
{
"event": "read",
"object": "file",
"timestamp": "2026-03-08 06:36:06,725",
"eid": 196,
"data": {
"file": "C:\\Windows\\Fonts\\StaticCache.dat"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 197,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 198,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"content": "SimSun-ExtB"
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 199,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 200,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 201,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 202,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 203,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 204,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 205,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 206,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 207,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 208,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 209,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 210,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 211,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,819",
"eid": 212,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:06,913",
"eid": 213,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,913",
"eid": 214,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:06,913",
"eid": 215,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:10,210",
"eid": 216,
"data": {
"file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:10,210",
"eid": 217,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,069",
"eid": 218,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,069",
"eid": 219,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,069",
"eid": 220,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,069",
"eid": 221,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,085",
"eid": 222,
"data": {
"file": "iertutil.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,194",
"eid": 223,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 224,
"data": {
"file": "oleaut32.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "write",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 225,
"data": {
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Sysinternals\\Strings\\EulaAccepted",
"content": "1"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 226,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 227,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 228,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 229,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,413",
"eid": 230,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 231,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 232,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 233,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 234,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 235,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "write",
"object": "file",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 236,
"data": {
"file": "\\Device\\ConDrv"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 237,
"data": {
"file": "api-ms-win-appmodel-runtime-l1-1-2",
"pathtofile": null,
"moduleaddress": "0x75250000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 238,
"data": {
"file": null,
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,428",
"eid": 239,
"data": {
"file": "mscoree.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,444",
"eid": 240,
"data": {
"file": "kernel32.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,444",
"eid": 241,
"data": {
"file": "kernelbase.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,444",
"eid": 242,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,522",
"eid": 243,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,647",
"eid": 244,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,647",
"eid": 245,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,647",
"eid": 246,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,647",
"eid": 247,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,663",
"eid": 248,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2026-03-08 06:36:11,663",
"eid": 249,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,944",
"eid": 250,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2026-03-08 06:36:11,944",
"eid": 251,
"data": {
"file": "ntdll.dll",
"pathtofile": null,
"moduleaddress": null
}
}
],
"encryptedbuffers": [],
"network_map": {
"endpoint_map": {},
"http_host_map": {},
"dns_intents": {},
"http_requests": [],
"winhttp_sessions": []
}
},
"debug": {
"log": "2026-03-05 20:34:38,257 [root] INFO: Date set to: 20260308T09:35:18, timeout set to: 60\n2026-03-08 09:35:18,131 [root] DEBUG: Starting analyzer from: C:\\vdyc7mjt\n2026-03-08 09:35:18,194 [root] DEBUG: Storing results at: C:\\pFgSGb\n2026-03-08 09:35:18,209 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\iRkbqMIcVR\n2026-03-08 09:35:18,240 [root] DEBUG: Python path: C:\\Python310\n2026-03-08 09:35:18,256 [root] INFO: analysis running as an admin\n2026-03-08 09:35:18,272 [root] INFO: analysis package specified: \"exe\"\n2026-03-08 09:35:18,272 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2026-03-08 09:35:18,287 [root] DEBUG: imported analysis package \"exe\"\n2026-03-08 09:35:18,287 [root] DEBUG: initializing analysis package \"exe\"...\n2026-03-08 09:35:18,287 [lib.common.common] INFO: wrapping\n2026-03-08 09:35:18,287 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-03-08 09:35:18,287 [root] DEBUG: New location of moved file: C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe\n2026-03-08 09:35:18,303 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option\n2026-03-08 09:35:18,303 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option\n2026-03-08 09:35:18,303 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2026-03-08 09:35:18,319 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2026-03-08 09:35:18,631 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-03-08 09:35:18,725 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-03-08 09:35:18,740 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-03-08 09:35:18,756 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-03-08 09:35:18,803 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-03-08 09:35:18,834 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2026-03-08 09:35:18,928 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2026-03-08 09:35:20,100 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2026-03-08 09:35:20,147 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-03-08 09:35:20,225 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-03-08 09:35:20,240 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-03-08 09:35:20,240 [root] DEBUG: attempting to configure 'Browser' from data\n2026-03-08 09:35:20,256 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-03-08 09:35:20,256 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-03-08 09:35:20,256 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-03-08 09:35:20,256 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-03-08 09:35:20,256 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-03-08 09:35:20,256 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-03-08 09:35:20,272 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-03-08 09:35:20,272 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-03-08 09:35:21,256 [modules.auxiliary.digisig] DEBUG: File has a valid signature\n2026-03-08 09:35:21,256 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-03-08 09:35:21,272 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-03-08 09:35:21,272 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-03-08 09:35:21,272 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-03-08 09:35:21,272 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-03-08 09:35:21,272 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-03-08 09:35:21,287 [modules.auxiliary.disguise] INFO: Disguising GUID to 339d92a4-c255-4420-97b0-5631bd58867a\n2026-03-08 09:35:21,287 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-03-08 09:35:21,287 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-03-08 09:35:21,287 [root] DEBUG: attempting to configure 'Human' from data\n2026-03-08 09:35:21,287 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-03-08 09:35:21,287 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-03-08 09:35:21,303 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-03-08 09:35:21,303 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-03-08 09:35:21,303 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-03-08 09:35:21,303 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-03-08 09:35:21,303 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-03-08 09:35:21,459 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-03-08 09:35:21,459 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-03-08 09:35:21,459 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-03-08 09:35:21,459 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-03-08 09:35:21,459 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-03-08 09:35:21,522 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-03-08 09:35:21,584 [lib.api.process] INFO: Monitor config for : C:\\vdyc7mjt\\dll\\644.ini\n2026-03-08 09:35:21,584 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-03-08 09:35:21,662 [lib.api.process] INFO: 64-bit DLL to inject is C:\\vdyc7mjt\\dll\\agsEkyC.dll, loader C:\\vdyc7mjt\\bin\\HLnLkMTh.exe\n2026-03-08 09:35:21,772 [root] DEBUG: Loader: Injecting process 644 with C:\\vdyc7mjt\\dll\\agsEkyC.dll.\n2026-03-08 09:35:51,584 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-03-08 09:35:51,631 [root] DEBUG: 644: Disabling sleep skipping.\n2026-03-08 09:35:51,662 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-03-08 09:35:52,928 [root] DEBUG: 644: Yara error: Scanning timed out\n2026-03-08 09:35:52,928 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE90000, thread 1956, image base 0x00007FF7C23E0000, stack from 0x0000008E4CA71000-0x0000008E4CA80000\n2026-03-08 09:35:52,928 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-03-08 09:35:52,959 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-03-08 09:35:52,975 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-03-08 09:35:52,990 [root] DEBUG: Successfully injected DLL C:\\vdyc7mjt\\dll\\agsEkyC.dll.\n2026-03-08 09:35:53,006 [lib.api.process] INFO: Injected into 64-bit \n2026-03-08 09:35:53,006 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-03-08 09:35:53,459 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\pFgSGb\\tlsdump\\tlsdump.log\n2026-03-08 09:36:01,366 [root] INFO: Restarting WMI Service\n2026-03-08 09:36:01,428 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-03-08 09:36:01,444 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-03-08 09:36:01,444 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-03-08 09:36:01,538 [lib.api.process] INFO: Successfully executed process from path \"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe\" with arguments \"\" with pid 6132\n2026-03-08 09:36:01,538 [lib.api.process] INFO: Monitor config for : C:\\vdyc7mjt\\dll\\6132.ini\n2026-03-08 09:36:01,553 [lib.api.process] INFO: 32-bit DLL to inject is C:\\vdyc7mjt\\dll\\hizPnd.dll, loader C:\\vdyc7mjt\\bin\\fyLUmkl.exe\n2026-03-08 09:36:01,678 [root] DEBUG: Loader: Injecting process 6132 (thread 6036) with C:\\vdyc7mjt\\dll\\hizPnd.dll.\n2026-03-08 09:36:01,694 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-03-08 09:36:01,694 [root] DEBUG: Successfully injected DLL C:\\vdyc7mjt\\dll\\hizPnd.dll.\n2026-03-08 09:36:01,709 [lib.api.process] INFO: Injected into 32-bit \n2026-03-08 09:36:03,725 [lib.api.process] INFO: Successfully resumed \n2026-03-08 09:36:04,537 [root] DEBUG: 6132: Python path set to 'C:\\Python310'.\n2026-03-08 09:36:04,553 [root] DEBUG: 6132: Disabling sleep skipping.\n2026-03-08 09:36:04,553 [root] DEBUG: 6132: Dropped file limit defaulting to 100.\n2026-03-08 09:36:04,600 [root] DEBUG: 6132: YaraInit: Compiled 44 rule files\n2026-03-08 09:36:04,600 [root] DEBUG: 6132: YaraInit: Compiled rules saved to file C:\\vdyc7mjt\\data\\yara\\capemon.yac\n2026-03-08 09:36:04,615 [root] DEBUG: 6132: YaraScan: Scanning 0x00300000, size 0x5b6c0\n2026-03-08 09:36:04,615 [root] DEBUG: 6132: Monitor initialised: 32-bit capemon loaded in process 6132 at 0x73f00000, thread 6036, image base 0x300000, stack from 0x282000-0x290000\n2026-03-08 09:36:04,631 [root] DEBUG: 6132: Commandline: \"C:\\Users\\cape\\AppData\\Local\\Temp\\strings.exe\"\n2026-03-08 09:36:04,866 [root] DEBUG: 6132: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress\n2026-03-08 09:36:04,991 [root] DEBUG: 6132: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0)\n2026-03-08 09:36:04,991 [root] DEBUG: 6132: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780)\n2026-03-08 09:36:05,006 [root] DEBUG: 6132: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0)\n2026-03-08 09:36:05,022 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-03-08 09:36:05,022 [root] DEBUG: 6132: set_hooks: Unable to hook GetCommandLineA\n2026-03-08 09:36:05,022 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-03-08 09:36:05,037 [root] DEBUG: 6132: set_hooks: Unable to hook GetCommandLineW\n2026-03-08 09:36:05,131 [root] DEBUG: 6132: Hooked 630 out of 632 functions\n2026-03-08 09:36:05,147 [root] DEBUG: 6132: Syscall hook installed, syscall logging level 1\n2026-03-08 09:36:05,147 [root] DEBUG: 6132: RestoreHeaders: Restored original import table.\n2026-03-08 09:36:05,147 [root] INFO: Loaded monitor into process with pid 6132\n2026-03-08 09:36:05,162 [root] DEBUG: 6132: caller_dispatch: Added region at 0x00300000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x0030D07E, thread 6036).\n2026-03-08 09:36:05,178 [root] DEBUG: 6132: YaraScan: Scanning 0x00300000, size 0x5b6c0\n2026-03-08 09:36:05,178 [root] DEBUG: 6132: ProcessImageBase: Main module image at 0x00300000 unmodified (entropy change 0.000000e+00)\n2026-03-08 09:36:05,240 [root] DEBUG: 6132: DLL loaded at 0x73DC0000: C:\\Windows\\SYSTEM32\\USP10 (0x17000 bytes).\n2026-03-08 09:36:05,256 [root] DEBUG: 6132: DLL loaded at 0x73D80000: C:\\Windows\\SYSTEM32\\msls31 (0x31000 bytes).\n2026-03-08 09:36:05,256 [root] DEBUG: 6132: DLL loaded at 0x73DE0000: C:\\Windows\\SYSTEM32\\RICHED20 (0x7a000 bytes).\n2026-03-08 09:36:05,256 [root] DEBUG: 6132: DLL loaded at 0x73E60000: C:\\Windows\\SYSTEM32\\Riched32 (0x6000 bytes).\n2026-03-08 09:36:05,350 [root] DEBUG: 6132: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6036).\n2026-03-08 09:36:05,350 [root] DEBUG: 6132: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-03-08 09:36:05,397 [root] DEBUG: 6132: DLL loaded at 0x745D0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-03-08 09:36:05,412 [root] DEBUG: 6132: DLL loaded at 0x76BA0000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2026-03-08 09:36:05,709 [root] DEBUG: 6132: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 6036).\n2026-03-08 09:36:05,709 [root] DEBUG: 6132: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-03-08 09:36:05,819 [root] DEBUG: 6132: DLL loaded at 0x73B70000: C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32 (0x210000 bytes).\n2026-03-08 09:36:05,897 [root] DEBUG: 6132: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-03-08 09:36:06,053 [root] DEBUG: 6132: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-03-08 09:36:06,053 [root] DEBUG: 6132: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-03-08 09:36:06,069 [root] DEBUG: 6132: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-03-08 09:36:06,256 [root] DEBUG: 6132: DLL loaded at 0x73760000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-03-08 09:36:06,272 [root] DEBUG: 6132: DLL loaded at 0x73790000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-03-08 09:36:06,272 [root] DEBUG: 6132: DLL loaded at 0x73680000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-03-08 09:36:06,272 [root] DEBUG: 6132: DLL loaded at 0x73830000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-03-08 09:36:06,287 [root] DEBUG: 6132: DLL loaded at 0x73AB0000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-03-08 09:36:06,631 [root] DEBUG: 6132: DLL loaded at 0x735E0000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-03-08 09:36:08,569 [modules.auxiliary.human] INFO: Found button \"agree\", clicking it\n2026-03-08 09:36:11,428 [root] DEBUG: 6132: NtTerminateProcess hook: Attempting to dump process 6132\n2026-03-08 09:36:11,428 [root] DEBUG: 6132: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-03-08 09:36:11,850 [root] INFO: Process with pid 6132 appears to have terminated\n2026-03-08 09:36:12,022 [root] INFO: Process with pid 6132 has terminated\n2026-03-08 09:36:16,959 [root] INFO: Process list is empty, terminating analysis\n2026-03-08 09:36:17,990 [root] INFO: Created shutdown mutex\n2026-03-08 09:36:19,006 [root] INFO: Shutting down package\n2026-03-08 09:36:19,006 [root] INFO: Stopping auxiliary modules\n2026-03-08 09:36:19,006 [root] INFO: Stopping auxiliary module: Browser\n2026-03-08 09:36:19,006 [root] INFO: Stopping auxiliary module: Human\n2026-03-08 09:36:21,631 [root] INFO: Stopping auxiliary module: Screenshots\n2026-03-08 09:36:22,459 [root] INFO: Finishing auxiliary modules\n2026-03-08 09:36:22,490 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-03-08 09:36:22,490 [root] WARNING: Folder at path \"C:\\pFgSGb\\debugger\" does not exist, skipping\n2026-03-08 09:36:22,490 [root] INFO: Uploading files at path \"C:\\pFgSGb\\tlsdump\"\n2026-03-08 09:36:22,490 [lib.common.results] INFO: Uploading file C:\\pFgSGb\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 8494; Max size: 100000000\n2026-03-08 09:36:22,490 [root] INFO: Analysis completed\n",
"errors": []
},
"network": {},
"suricata": {
"alerts": [],
"tls": [],
"perf": [],
"files": [],
"http": [],
"dns": [],
"ssh": [],
"fileinfo": [],
"eve_log_full_path": null,
"alert_log_full_path": null,
"tls_log_full_path": null,
"http_log_full_path": null,
"file_log_full_path": null,
"ssh_log_full_path": null,
"dns_log_full_path": null
},
"url_analysis": {},
"procmemory": [],
"signatures": [
{
"name": "queries_keyboard_layout",
"description": "Queries the keyboard layout",
"categories": [
"location_discovery"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"type": "call",
"pid": 6132,
"cid": 183
},
{
"type": "call",
"pid": 6132,
"cid": 230
},
{
"type": "call",
"pid": 6132,
"cid": 608
},
{
"type": "call",
"pid": 6132,
"cid": 691
},
{
"type": "call",
"pid": 6132,
"cid": 838
},
{
"type": "call",
"pid": 6132,
"cid": 845
},
{
"type": "call",
"pid": 6132,
"cid": 849
},
{
"type": "call",
"pid": 6132,
"cid": 1098
},
{
"type": "call",
"pid": 6132,
"cid": 1109
},
{
"type": "call",
"pid": 6132,
"cid": 1210
},
{
"type": "call",
"pid": 6132,
"cid": 1212
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "queries_locale_api",
"description": "Queries the computer locale (possible geofencing)",
"categories": [
"location_discovery",
"geofence"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"type": "call",
"pid": 6132,
"cid": 113
},
{
"type": "call",
"pid": 6132,
"cid": 850
},
{
"type": "call",
"pid": 6132,
"cid": 1017
},
{
"type": "call",
"pid": 6132,
"cid": 1097
},
{
"type": "call",
"pid": 6132,
"cid": 1106
},
{
"type": "call",
"pid": 6132,
"cid": 1108
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "static_pe_pdbpath",
"description": "The PE file contains a PDB path",
"categories": [
"static"
],
"severity": 1,
"weight": 1,
"confidence": 80,
"references": [
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
],
"data": [
{
"pdbpath": "D:\\a\\1\\s\\Win32\\Release\\strings.pdb"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "antidebug_setunhandledexceptionfilter",
"description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
"categories": [
"anti-debug"
],
"severity": 1,
"weight": 1,
"confidence": 40,
"references": [],
"data": [
{
"type": "call",
"pid": 6132,
"cid": 69
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "contains_pe_overlay",
"description": "The PE file contains an overlay",
"categories": [
"static"
],
"severity": 2,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"overlay": "Contains overlay at offset 0x00058200 with size: 9096 bytes"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "sysinternals_tools",
"description": "Executed a sysinternals tool",
"categories": [
"command"
],
"severity": 2,
"weight": 1,
"confidence": 100,
"references": [
"https://docs.microsoft.com/en-us/sysinternals/"
],
"data": [],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "binary_yara",
"description": "Binary file triggered multiple YARA rules",
"categories": [
"static"
],
"severity": 3,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"Binary triggered YARA rule": "IsPE32"
},
{
"Binary triggered YARA rule": "IsConsole"
},
{
"Binary triggered YARA rule": "HasOverlay"
},
{
"Binary triggered YARA rule": "HasDebugData"
},
{
"Binary triggered YARA rule": "HasRichSignature"
},
{
"Binary triggered YARA rule": "VC8_Microsoft_Corporation"
},
{
"Binary triggered YARA rule": "Microsoft_Visual_Cpp_8"
}
],
"new_data": [],
"alert": false,
"families": []
}
],
"malscore": 0.0,
"ttps": [],
"malstatus": "Clean"
}